cfg80211: add tracing for P2P Device start/stop
[linux-3.10.git] / net / wireless / nl80211.c
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010  Johannes Berg <johannes@sipsolutions.net>
5  */
6
7 #include <linux/if.h>
8 #include <linux/module.h>
9 #include <linux/err.h>
10 #include <linux/slab.h>
11 #include <linux/list.h>
12 #include <linux/if_ether.h>
13 #include <linux/ieee80211.h>
14 #include <linux/nl80211.h>
15 #include <linux/rtnetlink.h>
16 #include <linux/netlink.h>
17 #include <linux/etherdevice.h>
18 #include <net/net_namespace.h>
19 #include <net/genetlink.h>
20 #include <net/cfg80211.h>
21 #include <net/sock.h>
22 #include "core.h"
23 #include "nl80211.h"
24 #include "reg.h"
25 #include "rdev-ops.h"
26
27 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
28                                    struct genl_info *info,
29                                    struct cfg80211_crypto_settings *settings,
30                                    int cipher_limit);
31
32 static int nl80211_pre_doit(struct genl_ops *ops, struct sk_buff *skb,
33                             struct genl_info *info);
34 static void nl80211_post_doit(struct genl_ops *ops, struct sk_buff *skb,
35                               struct genl_info *info);
36
37 /* the netlink family */
38 static struct genl_family nl80211_fam = {
39         .id = GENL_ID_GENERATE, /* don't bother with a hardcoded ID */
40         .name = "nl80211",      /* have users key off the name instead */
41         .hdrsize = 0,           /* no private header */
42         .version = 1,           /* no particular meaning now */
43         .maxattr = NL80211_ATTR_MAX,
44         .netnsok = true,
45         .pre_doit = nl80211_pre_doit,
46         .post_doit = nl80211_post_doit,
47 };
48
49 /* returns ERR_PTR values */
50 static struct wireless_dev *
51 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
52 {
53         struct cfg80211_registered_device *rdev;
54         struct wireless_dev *result = NULL;
55         bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
56         bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
57         u64 wdev_id;
58         int wiphy_idx = -1;
59         int ifidx = -1;
60
61         assert_cfg80211_lock();
62
63         if (!have_ifidx && !have_wdev_id)
64                 return ERR_PTR(-EINVAL);
65
66         if (have_ifidx)
67                 ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
68         if (have_wdev_id) {
69                 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
70                 wiphy_idx = wdev_id >> 32;
71         }
72
73         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
74                 struct wireless_dev *wdev;
75
76                 if (wiphy_net(&rdev->wiphy) != netns)
77                         continue;
78
79                 if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
80                         continue;
81
82                 mutex_lock(&rdev->devlist_mtx);
83                 list_for_each_entry(wdev, &rdev->wdev_list, list) {
84                         if (have_ifidx && wdev->netdev &&
85                             wdev->netdev->ifindex == ifidx) {
86                                 result = wdev;
87                                 break;
88                         }
89                         if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
90                                 result = wdev;
91                                 break;
92                         }
93                 }
94                 mutex_unlock(&rdev->devlist_mtx);
95
96                 if (result)
97                         break;
98         }
99
100         if (result)
101                 return result;
102         return ERR_PTR(-ENODEV);
103 }
104
105 static struct cfg80211_registered_device *
106 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
107 {
108         struct cfg80211_registered_device *rdev = NULL, *tmp;
109         struct net_device *netdev;
110
111         assert_cfg80211_lock();
112
113         if (!attrs[NL80211_ATTR_WIPHY] &&
114             !attrs[NL80211_ATTR_IFINDEX] &&
115             !attrs[NL80211_ATTR_WDEV])
116                 return ERR_PTR(-EINVAL);
117
118         if (attrs[NL80211_ATTR_WIPHY])
119                 rdev = cfg80211_rdev_by_wiphy_idx(
120                                 nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
121
122         if (attrs[NL80211_ATTR_WDEV]) {
123                 u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
124                 struct wireless_dev *wdev;
125                 bool found = false;
126
127                 tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
128                 if (tmp) {
129                         /* make sure wdev exists */
130                         mutex_lock(&tmp->devlist_mtx);
131                         list_for_each_entry(wdev, &tmp->wdev_list, list) {
132                                 if (wdev->identifier != (u32)wdev_id)
133                                         continue;
134                                 found = true;
135                                 break;
136                         }
137                         mutex_unlock(&tmp->devlist_mtx);
138
139                         if (!found)
140                                 tmp = NULL;
141
142                         if (rdev && tmp != rdev)
143                                 return ERR_PTR(-EINVAL);
144                         rdev = tmp;
145                 }
146         }
147
148         if (attrs[NL80211_ATTR_IFINDEX]) {
149                 int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
150                 netdev = dev_get_by_index(netns, ifindex);
151                 if (netdev) {
152                         if (netdev->ieee80211_ptr)
153                                 tmp = wiphy_to_dev(
154                                                 netdev->ieee80211_ptr->wiphy);
155                         else
156                                 tmp = NULL;
157
158                         dev_put(netdev);
159
160                         /* not wireless device -- return error */
161                         if (!tmp)
162                                 return ERR_PTR(-EINVAL);
163
164                         /* mismatch -- return error */
165                         if (rdev && tmp != rdev)
166                                 return ERR_PTR(-EINVAL);
167
168                         rdev = tmp;
169                 }
170         }
171
172         if (!rdev)
173                 return ERR_PTR(-ENODEV);
174
175         if (netns != wiphy_net(&rdev->wiphy))
176                 return ERR_PTR(-ENODEV);
177
178         return rdev;
179 }
180
181 /*
182  * This function returns a pointer to the driver
183  * that the genl_info item that is passed refers to.
184  * If successful, it returns non-NULL and also locks
185  * the driver's mutex!
186  *
187  * This means that you need to call cfg80211_unlock_rdev()
188  * before being allowed to acquire &cfg80211_mutex!
189  *
190  * This is necessary because we need to lock the global
191  * mutex to get an item off the list safely, and then
192  * we lock the rdev mutex so it doesn't go away under us.
193  *
194  * We don't want to keep cfg80211_mutex locked
195  * for all the time in order to allow requests on
196  * other interfaces to go through at the same time.
197  *
198  * The result of this can be a PTR_ERR and hence must
199  * be checked with IS_ERR() for errors.
200  */
201 static struct cfg80211_registered_device *
202 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
203 {
204         struct cfg80211_registered_device *rdev;
205
206         mutex_lock(&cfg80211_mutex);
207         rdev = __cfg80211_rdev_from_attrs(netns, info->attrs);
208
209         /* if it is not an error we grab the lock on
210          * it to assure it won't be going away while
211          * we operate on it */
212         if (!IS_ERR(rdev))
213                 mutex_lock(&rdev->mtx);
214
215         mutex_unlock(&cfg80211_mutex);
216
217         return rdev;
218 }
219
220 /* policy for the attributes */
221 static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
222         [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
223         [NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
224                                       .len = 20-1 },
225         [NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
226         [NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
227         [NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
228         [NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
229         [NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
230         [NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
231         [NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
232         [NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
233
234         [NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
235         [NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
236         [NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
237
238         [NL80211_ATTR_MAC] = { .len = ETH_ALEN },
239         [NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
240
241         [NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
242         [NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
243                                     .len = WLAN_MAX_KEY_LEN },
244         [NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
245         [NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
246         [NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
247         [NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
248         [NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
249
250         [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
251         [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
252         [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
253                                        .len = IEEE80211_MAX_DATA_LEN },
254         [NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
255                                        .len = IEEE80211_MAX_DATA_LEN },
256         [NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
257         [NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
258         [NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
259         [NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
260                                                .len = NL80211_MAX_SUPP_RATES },
261         [NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
262         [NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
263         [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
264         [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
265                                    .len = IEEE80211_MAX_MESH_ID_LEN },
266         [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
267
268         [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
269         [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
270
271         [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
272         [NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
273         [NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
274         [NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
275                                            .len = NL80211_MAX_SUPP_RATES },
276         [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
277
278         [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
279         [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
280
281         [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
282
283         [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
284         [NL80211_ATTR_IE] = { .type = NLA_BINARY,
285                               .len = IEEE80211_MAX_DATA_LEN },
286         [NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
287         [NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
288
289         [NL80211_ATTR_SSID] = { .type = NLA_BINARY,
290                                 .len = IEEE80211_MAX_SSID_LEN },
291         [NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
292         [NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
293         [NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
294         [NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
295         [NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
296         [NL80211_ATTR_STA_FLAGS2] = {
297                 .len = sizeof(struct nl80211_sta_flag_update),
298         },
299         [NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
300         [NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
301         [NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
302         [NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
303         [NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
304         [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
305         [NL80211_ATTR_PID] = { .type = NLA_U32 },
306         [NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
307         [NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
308                                  .len = WLAN_PMKID_LEN },
309         [NL80211_ATTR_DURATION] = { .type = NLA_U32 },
310         [NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
311         [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
312         [NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
313                                  .len = IEEE80211_MAX_DATA_LEN },
314         [NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
315         [NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
316         [NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
317         [NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
318         [NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
319         [NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
320         [NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
321         [NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
322         [NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
323         [NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
324         [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
325         [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
326         [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
327         [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
328         [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
329         [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
330         [NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
331         [NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
332         [NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
333         [NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
334                                          .len = IEEE80211_MAX_DATA_LEN },
335         [NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
336                                          .len = IEEE80211_MAX_DATA_LEN },
337         [NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
338         [NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
339         [NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
340         [NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
341         [NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
342         [NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
343         [NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
344         [NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
345         [NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
346         [NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
347                                       .len = IEEE80211_MAX_DATA_LEN },
348         [NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
349         [NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
350         [NL80211_ATTR_HT_CAPABILITY_MASK] = {
351                 .len = NL80211_HT_CAPABILITY_LEN
352         },
353         [NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
354         [NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
355         [NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
356         [NL80211_ATTR_WDEV] = { .type = NLA_U64 },
357         [NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
358         [NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
359         [NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
360         [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
361 };
362
363 /* policy for the key attributes */
364 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
365         [NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
366         [NL80211_KEY_IDX] = { .type = NLA_U8 },
367         [NL80211_KEY_CIPHER] = { .type = NLA_U32 },
368         [NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
369         [NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
370         [NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
371         [NL80211_KEY_TYPE] = { .type = NLA_U32 },
372         [NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
373 };
374
375 /* policy for the key default flags */
376 static const struct nla_policy
377 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
378         [NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
379         [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
380 };
381
382 /* policy for WoWLAN attributes */
383 static const struct nla_policy
384 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
385         [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
386         [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
387         [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
388         [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
389         [NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
390         [NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
391         [NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
392         [NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
393 };
394
395 /* policy for GTK rekey offload attributes */
396 static const struct nla_policy
397 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
398         [NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
399         [NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
400         [NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
401 };
402
403 static const struct nla_policy
404 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
405         [NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
406                                                  .len = IEEE80211_MAX_SSID_LEN },
407         [NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
408 };
409
410 /* ifidx get helper */
411 static int nl80211_get_ifidx(struct netlink_callback *cb)
412 {
413         int res;
414
415         res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
416                           nl80211_fam.attrbuf, nl80211_fam.maxattr,
417                           nl80211_policy);
418         if (res)
419                 return res;
420
421         if (!nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX])
422                 return -EINVAL;
423
424         res = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_IFINDEX]);
425         if (!res)
426                 return -EINVAL;
427         return res;
428 }
429
430 static int nl80211_prepare_netdev_dump(struct sk_buff *skb,
431                                        struct netlink_callback *cb,
432                                        struct cfg80211_registered_device **rdev,
433                                        struct net_device **dev)
434 {
435         int ifidx = cb->args[0];
436         int err;
437
438         if (!ifidx)
439                 ifidx = nl80211_get_ifidx(cb);
440         if (ifidx < 0)
441                 return ifidx;
442
443         cb->args[0] = ifidx;
444
445         rtnl_lock();
446
447         *dev = __dev_get_by_index(sock_net(skb->sk), ifidx);
448         if (!*dev) {
449                 err = -ENODEV;
450                 goto out_rtnl;
451         }
452
453         *rdev = cfg80211_get_dev_from_ifindex(sock_net(skb->sk), ifidx);
454         if (IS_ERR(*rdev)) {
455                 err = PTR_ERR(*rdev);
456                 goto out_rtnl;
457         }
458
459         return 0;
460  out_rtnl:
461         rtnl_unlock();
462         return err;
463 }
464
465 static void nl80211_finish_netdev_dump(struct cfg80211_registered_device *rdev)
466 {
467         cfg80211_unlock_rdev(rdev);
468         rtnl_unlock();
469 }
470
471 /* IE validation */
472 static bool is_valid_ie_attr(const struct nlattr *attr)
473 {
474         const u8 *pos;
475         int len;
476
477         if (!attr)
478                 return true;
479
480         pos = nla_data(attr);
481         len = nla_len(attr);
482
483         while (len) {
484                 u8 elemlen;
485
486                 if (len < 2)
487                         return false;
488                 len -= 2;
489
490                 elemlen = pos[1];
491                 if (elemlen > len)
492                         return false;
493
494                 len -= elemlen;
495                 pos += 2 + elemlen;
496         }
497
498         return true;
499 }
500
501 /* message building helper */
502 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
503                                    int flags, u8 cmd)
504 {
505         /* since there is no private header just add the generic one */
506         return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
507 }
508
509 static int nl80211_msg_put_channel(struct sk_buff *msg,
510                                    struct ieee80211_channel *chan)
511 {
512         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
513                         chan->center_freq))
514                 goto nla_put_failure;
515
516         if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
517             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
518                 goto nla_put_failure;
519         if ((chan->flags & IEEE80211_CHAN_PASSIVE_SCAN) &&
520             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_PASSIVE_SCAN))
521                 goto nla_put_failure;
522         if ((chan->flags & IEEE80211_CHAN_NO_IBSS) &&
523             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IBSS))
524                 goto nla_put_failure;
525         if ((chan->flags & IEEE80211_CHAN_RADAR) &&
526             nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
527                 goto nla_put_failure;
528
529         if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
530                         DBM_TO_MBM(chan->max_power)))
531                 goto nla_put_failure;
532
533         return 0;
534
535  nla_put_failure:
536         return -ENOBUFS;
537 }
538
539 /* netlink command implementations */
540
541 struct key_parse {
542         struct key_params p;
543         int idx;
544         int type;
545         bool def, defmgmt;
546         bool def_uni, def_multi;
547 };
548
549 static int nl80211_parse_key_new(struct nlattr *key, struct key_parse *k)
550 {
551         struct nlattr *tb[NL80211_KEY_MAX + 1];
552         int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
553                                    nl80211_key_policy);
554         if (err)
555                 return err;
556
557         k->def = !!tb[NL80211_KEY_DEFAULT];
558         k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
559
560         if (k->def) {
561                 k->def_uni = true;
562                 k->def_multi = true;
563         }
564         if (k->defmgmt)
565                 k->def_multi = true;
566
567         if (tb[NL80211_KEY_IDX])
568                 k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
569
570         if (tb[NL80211_KEY_DATA]) {
571                 k->p.key = nla_data(tb[NL80211_KEY_DATA]);
572                 k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
573         }
574
575         if (tb[NL80211_KEY_SEQ]) {
576                 k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
577                 k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
578         }
579
580         if (tb[NL80211_KEY_CIPHER])
581                 k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
582
583         if (tb[NL80211_KEY_TYPE]) {
584                 k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
585                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
586                         return -EINVAL;
587         }
588
589         if (tb[NL80211_KEY_DEFAULT_TYPES]) {
590                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
591                 err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
592                                        tb[NL80211_KEY_DEFAULT_TYPES],
593                                        nl80211_key_default_policy);
594                 if (err)
595                         return err;
596
597                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
598                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
599         }
600
601         return 0;
602 }
603
604 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
605 {
606         if (info->attrs[NL80211_ATTR_KEY_DATA]) {
607                 k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
608                 k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
609         }
610
611         if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
612                 k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
613                 k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
614         }
615
616         if (info->attrs[NL80211_ATTR_KEY_IDX])
617                 k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
618
619         if (info->attrs[NL80211_ATTR_KEY_CIPHER])
620                 k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
621
622         k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
623         k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
624
625         if (k->def) {
626                 k->def_uni = true;
627                 k->def_multi = true;
628         }
629         if (k->defmgmt)
630                 k->def_multi = true;
631
632         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
633                 k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
634                 if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
635                         return -EINVAL;
636         }
637
638         if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
639                 struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
640                 int err = nla_parse_nested(
641                                 kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
642                                 info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
643                                 nl80211_key_default_policy);
644                 if (err)
645                         return err;
646
647                 k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
648                 k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
649         }
650
651         return 0;
652 }
653
654 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
655 {
656         int err;
657
658         memset(k, 0, sizeof(*k));
659         k->idx = -1;
660         k->type = -1;
661
662         if (info->attrs[NL80211_ATTR_KEY])
663                 err = nl80211_parse_key_new(info->attrs[NL80211_ATTR_KEY], k);
664         else
665                 err = nl80211_parse_key_old(info, k);
666
667         if (err)
668                 return err;
669
670         if (k->def && k->defmgmt)
671                 return -EINVAL;
672
673         if (k->defmgmt) {
674                 if (k->def_uni || !k->def_multi)
675                         return -EINVAL;
676         }
677
678         if (k->idx != -1) {
679                 if (k->defmgmt) {
680                         if (k->idx < 4 || k->idx > 5)
681                                 return -EINVAL;
682                 } else if (k->def) {
683                         if (k->idx < 0 || k->idx > 3)
684                                 return -EINVAL;
685                 } else {
686                         if (k->idx < 0 || k->idx > 5)
687                                 return -EINVAL;
688                 }
689         }
690
691         return 0;
692 }
693
694 static struct cfg80211_cached_keys *
695 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
696                        struct nlattr *keys, bool *no_ht)
697 {
698         struct key_parse parse;
699         struct nlattr *key;
700         struct cfg80211_cached_keys *result;
701         int rem, err, def = 0;
702
703         result = kzalloc(sizeof(*result), GFP_KERNEL);
704         if (!result)
705                 return ERR_PTR(-ENOMEM);
706
707         result->def = -1;
708         result->defmgmt = -1;
709
710         nla_for_each_nested(key, keys, rem) {
711                 memset(&parse, 0, sizeof(parse));
712                 parse.idx = -1;
713
714                 err = nl80211_parse_key_new(key, &parse);
715                 if (err)
716                         goto error;
717                 err = -EINVAL;
718                 if (!parse.p.key)
719                         goto error;
720                 if (parse.idx < 0 || parse.idx > 4)
721                         goto error;
722                 if (parse.def) {
723                         if (def)
724                                 goto error;
725                         def = 1;
726                         result->def = parse.idx;
727                         if (!parse.def_uni || !parse.def_multi)
728                                 goto error;
729                 } else if (parse.defmgmt)
730                         goto error;
731                 err = cfg80211_validate_key_settings(rdev, &parse.p,
732                                                      parse.idx, false, NULL);
733                 if (err)
734                         goto error;
735                 result->params[parse.idx].cipher = parse.p.cipher;
736                 result->params[parse.idx].key_len = parse.p.key_len;
737                 result->params[parse.idx].key = result->data[parse.idx];
738                 memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
739
740                 if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
741                     parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
742                         if (no_ht)
743                                 *no_ht = true;
744                 }
745         }
746
747         return result;
748  error:
749         kfree(result);
750         return ERR_PTR(err);
751 }
752
753 static int nl80211_key_allowed(struct wireless_dev *wdev)
754 {
755         ASSERT_WDEV_LOCK(wdev);
756
757         switch (wdev->iftype) {
758         case NL80211_IFTYPE_AP:
759         case NL80211_IFTYPE_AP_VLAN:
760         case NL80211_IFTYPE_P2P_GO:
761         case NL80211_IFTYPE_MESH_POINT:
762                 break;
763         case NL80211_IFTYPE_ADHOC:
764                 if (!wdev->current_bss)
765                         return -ENOLINK;
766                 break;
767         case NL80211_IFTYPE_STATION:
768         case NL80211_IFTYPE_P2P_CLIENT:
769                 if (wdev->sme_state != CFG80211_SME_CONNECTED)
770                         return -ENOLINK;
771                 break;
772         default:
773                 return -EINVAL;
774         }
775
776         return 0;
777 }
778
779 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
780 {
781         struct nlattr *nl_modes = nla_nest_start(msg, attr);
782         int i;
783
784         if (!nl_modes)
785                 goto nla_put_failure;
786
787         i = 0;
788         while (ifmodes) {
789                 if ((ifmodes & 1) && nla_put_flag(msg, i))
790                         goto nla_put_failure;
791                 ifmodes >>= 1;
792                 i++;
793         }
794
795         nla_nest_end(msg, nl_modes);
796         return 0;
797
798 nla_put_failure:
799         return -ENOBUFS;
800 }
801
802 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
803                                           struct sk_buff *msg)
804 {
805         struct nlattr *nl_combis;
806         int i, j;
807
808         nl_combis = nla_nest_start(msg,
809                                 NL80211_ATTR_INTERFACE_COMBINATIONS);
810         if (!nl_combis)
811                 goto nla_put_failure;
812
813         for (i = 0; i < wiphy->n_iface_combinations; i++) {
814                 const struct ieee80211_iface_combination *c;
815                 struct nlattr *nl_combi, *nl_limits;
816
817                 c = &wiphy->iface_combinations[i];
818
819                 nl_combi = nla_nest_start(msg, i + 1);
820                 if (!nl_combi)
821                         goto nla_put_failure;
822
823                 nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
824                 if (!nl_limits)
825                         goto nla_put_failure;
826
827                 for (j = 0; j < c->n_limits; j++) {
828                         struct nlattr *nl_limit;
829
830                         nl_limit = nla_nest_start(msg, j + 1);
831                         if (!nl_limit)
832                                 goto nla_put_failure;
833                         if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
834                                         c->limits[j].max))
835                                 goto nla_put_failure;
836                         if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
837                                                 c->limits[j].types))
838                                 goto nla_put_failure;
839                         nla_nest_end(msg, nl_limit);
840                 }
841
842                 nla_nest_end(msg, nl_limits);
843
844                 if (c->beacon_int_infra_match &&
845                     nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
846                         goto nla_put_failure;
847                 if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
848                                 c->num_different_channels) ||
849                     nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
850                                 c->max_interfaces))
851                         goto nla_put_failure;
852
853                 nla_nest_end(msg, nl_combi);
854         }
855
856         nla_nest_end(msg, nl_combis);
857
858         return 0;
859 nla_put_failure:
860         return -ENOBUFS;
861 }
862
863 static int nl80211_send_wiphy(struct sk_buff *msg, u32 portid, u32 seq, int flags,
864                               struct cfg80211_registered_device *dev)
865 {
866         void *hdr;
867         struct nlattr *nl_bands, *nl_band;
868         struct nlattr *nl_freqs, *nl_freq;
869         struct nlattr *nl_rates, *nl_rate;
870         struct nlattr *nl_cmds;
871         enum ieee80211_band band;
872         struct ieee80211_channel *chan;
873         struct ieee80211_rate *rate;
874         int i;
875         const struct ieee80211_txrx_stypes *mgmt_stypes =
876                                 dev->wiphy.mgmt_stypes;
877
878         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_WIPHY);
879         if (!hdr)
880                 return -1;
881
882         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, dev->wiphy_idx) ||
883             nla_put_string(msg, NL80211_ATTR_WIPHY_NAME, wiphy_name(&dev->wiphy)) ||
884             nla_put_u32(msg, NL80211_ATTR_GENERATION,
885                         cfg80211_rdev_list_generation) ||
886             nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
887                        dev->wiphy.retry_short) ||
888             nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
889                        dev->wiphy.retry_long) ||
890             nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
891                         dev->wiphy.frag_threshold) ||
892             nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
893                         dev->wiphy.rts_threshold) ||
894             nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
895                        dev->wiphy.coverage_class) ||
896             nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
897                        dev->wiphy.max_scan_ssids) ||
898             nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
899                        dev->wiphy.max_sched_scan_ssids) ||
900             nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
901                         dev->wiphy.max_scan_ie_len) ||
902             nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
903                         dev->wiphy.max_sched_scan_ie_len) ||
904             nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
905                        dev->wiphy.max_match_sets))
906                 goto nla_put_failure;
907
908         if ((dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
909             nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
910                 goto nla_put_failure;
911         if ((dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
912             nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
913                 goto nla_put_failure;
914         if ((dev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
915             nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
916                 goto nla_put_failure;
917         if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
918             nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
919                 goto nla_put_failure;
920         if ((dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
921             nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
922                 goto nla_put_failure;
923         if ((dev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
924             nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
925                 goto nla_put_failure;
926
927         if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
928                     sizeof(u32) * dev->wiphy.n_cipher_suites,
929                     dev->wiphy.cipher_suites))
930                 goto nla_put_failure;
931
932         if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
933                        dev->wiphy.max_num_pmkids))
934                 goto nla_put_failure;
935
936         if ((dev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
937             nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
938                 goto nla_put_failure;
939
940         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
941                         dev->wiphy.available_antennas_tx) ||
942             nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
943                         dev->wiphy.available_antennas_rx))
944                 goto nla_put_failure;
945
946         if ((dev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
947             nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
948                         dev->wiphy.probe_resp_offload))
949                 goto nla_put_failure;
950
951         if ((dev->wiphy.available_antennas_tx ||
952              dev->wiphy.available_antennas_rx) && dev->ops->get_antenna) {
953                 u32 tx_ant = 0, rx_ant = 0;
954                 int res;
955                 res = rdev_get_antenna(dev, &tx_ant, &rx_ant);
956                 if (!res) {
957                         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_TX,
958                                         tx_ant) ||
959                             nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_RX,
960                                         rx_ant))
961                                 goto nla_put_failure;
962                 }
963         }
964
965         if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
966                                 dev->wiphy.interface_modes))
967                 goto nla_put_failure;
968
969         nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
970         if (!nl_bands)
971                 goto nla_put_failure;
972
973         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
974                 if (!dev->wiphy.bands[band])
975                         continue;
976
977                 nl_band = nla_nest_start(msg, band);
978                 if (!nl_band)
979                         goto nla_put_failure;
980
981                 /* add HT info */
982                 if (dev->wiphy.bands[band]->ht_cap.ht_supported &&
983                     (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
984                              sizeof(dev->wiphy.bands[band]->ht_cap.mcs),
985                              &dev->wiphy.bands[band]->ht_cap.mcs) ||
986                      nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
987                                  dev->wiphy.bands[band]->ht_cap.cap) ||
988                      nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
989                                 dev->wiphy.bands[band]->ht_cap.ampdu_factor) ||
990                      nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
991                                 dev->wiphy.bands[band]->ht_cap.ampdu_density)))
992                         goto nla_put_failure;
993
994                 /* add VHT info */
995                 if (dev->wiphy.bands[band]->vht_cap.vht_supported &&
996                     (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
997                              sizeof(dev->wiphy.bands[band]->vht_cap.vht_mcs),
998                              &dev->wiphy.bands[band]->vht_cap.vht_mcs) ||
999                      nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1000                                  dev->wiphy.bands[band]->vht_cap.cap)))
1001                         goto nla_put_failure;
1002
1003                 /* add frequencies */
1004                 nl_freqs = nla_nest_start(msg, NL80211_BAND_ATTR_FREQS);
1005                 if (!nl_freqs)
1006                         goto nla_put_failure;
1007
1008                 for (i = 0; i < dev->wiphy.bands[band]->n_channels; i++) {
1009                         nl_freq = nla_nest_start(msg, i);
1010                         if (!nl_freq)
1011                                 goto nla_put_failure;
1012
1013                         chan = &dev->wiphy.bands[band]->channels[i];
1014
1015                         if (nl80211_msg_put_channel(msg, chan))
1016                                 goto nla_put_failure;
1017
1018                         nla_nest_end(msg, nl_freq);
1019                 }
1020
1021                 nla_nest_end(msg, nl_freqs);
1022
1023                 /* add bitrates */
1024                 nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1025                 if (!nl_rates)
1026                         goto nla_put_failure;
1027
1028                 for (i = 0; i < dev->wiphy.bands[band]->n_bitrates; i++) {
1029                         nl_rate = nla_nest_start(msg, i);
1030                         if (!nl_rate)
1031                                 goto nla_put_failure;
1032
1033                         rate = &dev->wiphy.bands[band]->bitrates[i];
1034                         if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1035                                         rate->bitrate))
1036                                 goto nla_put_failure;
1037                         if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1038                             nla_put_flag(msg,
1039                                          NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1040                                 goto nla_put_failure;
1041
1042                         nla_nest_end(msg, nl_rate);
1043                 }
1044
1045                 nla_nest_end(msg, nl_rates);
1046
1047                 nla_nest_end(msg, nl_band);
1048         }
1049         nla_nest_end(msg, nl_bands);
1050
1051         nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1052         if (!nl_cmds)
1053                 goto nla_put_failure;
1054
1055         i = 0;
1056 #define CMD(op, n)                                              \
1057          do {                                                   \
1058                 if (dev->ops->op) {                             \
1059                         i++;                                    \
1060                         if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) \
1061                                 goto nla_put_failure;           \
1062                 }                                               \
1063         } while (0)
1064
1065         CMD(add_virtual_intf, NEW_INTERFACE);
1066         CMD(change_virtual_intf, SET_INTERFACE);
1067         CMD(add_key, NEW_KEY);
1068         CMD(start_ap, START_AP);
1069         CMD(add_station, NEW_STATION);
1070         CMD(add_mpath, NEW_MPATH);
1071         CMD(update_mesh_config, SET_MESH_CONFIG);
1072         CMD(change_bss, SET_BSS);
1073         CMD(auth, AUTHENTICATE);
1074         CMD(assoc, ASSOCIATE);
1075         CMD(deauth, DEAUTHENTICATE);
1076         CMD(disassoc, DISASSOCIATE);
1077         CMD(join_ibss, JOIN_IBSS);
1078         CMD(join_mesh, JOIN_MESH);
1079         CMD(set_pmksa, SET_PMKSA);
1080         CMD(del_pmksa, DEL_PMKSA);
1081         CMD(flush_pmksa, FLUSH_PMKSA);
1082         if (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1083                 CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1084         CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1085         CMD(mgmt_tx, FRAME);
1086         CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1087         if (dev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1088                 i++;
1089                 if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1090                         goto nla_put_failure;
1091         }
1092         if (dev->ops->set_monitor_channel || dev->ops->start_ap ||
1093             dev->ops->join_mesh) {
1094                 i++;
1095                 if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1096                         goto nla_put_failure;
1097         }
1098         CMD(set_wds_peer, SET_WDS_PEER);
1099         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1100                 CMD(tdls_mgmt, TDLS_MGMT);
1101                 CMD(tdls_oper, TDLS_OPER);
1102         }
1103         if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
1104                 CMD(sched_scan_start, START_SCHED_SCAN);
1105         CMD(probe_client, PROBE_CLIENT);
1106         CMD(set_noack_map, SET_NOACK_MAP);
1107         if (dev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1108                 i++;
1109                 if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1110                         goto nla_put_failure;
1111         }
1112         CMD(start_p2p_device, START_P2P_DEVICE);
1113
1114 #ifdef CONFIG_NL80211_TESTMODE
1115         CMD(testmode_cmd, TESTMODE);
1116 #endif
1117
1118 #undef CMD
1119
1120         if (dev->ops->connect || dev->ops->auth) {
1121                 i++;
1122                 if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1123                         goto nla_put_failure;
1124         }
1125
1126         if (dev->ops->disconnect || dev->ops->deauth) {
1127                 i++;
1128                 if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1129                         goto nla_put_failure;
1130         }
1131
1132         nla_nest_end(msg, nl_cmds);
1133
1134         if (dev->ops->remain_on_channel &&
1135             (dev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1136             nla_put_u32(msg, NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1137                         dev->wiphy.max_remain_on_channel_duration))
1138                 goto nla_put_failure;
1139
1140         if ((dev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1141             nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1142                 goto nla_put_failure;
1143
1144         if (mgmt_stypes) {
1145                 u16 stypes;
1146                 struct nlattr *nl_ftypes, *nl_ifs;
1147                 enum nl80211_iftype ift;
1148
1149                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1150                 if (!nl_ifs)
1151                         goto nla_put_failure;
1152
1153                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1154                         nl_ftypes = nla_nest_start(msg, ift);
1155                         if (!nl_ftypes)
1156                                 goto nla_put_failure;
1157                         i = 0;
1158                         stypes = mgmt_stypes[ift].tx;
1159                         while (stypes) {
1160                                 if ((stypes & 1) &&
1161                                     nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1162                                                 (i << 4) | IEEE80211_FTYPE_MGMT))
1163                                         goto nla_put_failure;
1164                                 stypes >>= 1;
1165                                 i++;
1166                         }
1167                         nla_nest_end(msg, nl_ftypes);
1168                 }
1169
1170                 nla_nest_end(msg, nl_ifs);
1171
1172                 nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1173                 if (!nl_ifs)
1174                         goto nla_put_failure;
1175
1176                 for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1177                         nl_ftypes = nla_nest_start(msg, ift);
1178                         if (!nl_ftypes)
1179                                 goto nla_put_failure;
1180                         i = 0;
1181                         stypes = mgmt_stypes[ift].rx;
1182                         while (stypes) {
1183                                 if ((stypes & 1) &&
1184                                     nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1185                                                 (i << 4) | IEEE80211_FTYPE_MGMT))
1186                                         goto nla_put_failure;
1187                                 stypes >>= 1;
1188                                 i++;
1189                         }
1190                         nla_nest_end(msg, nl_ftypes);
1191                 }
1192                 nla_nest_end(msg, nl_ifs);
1193         }
1194
1195 #ifdef CONFIG_PM
1196         if (dev->wiphy.wowlan.flags || dev->wiphy.wowlan.n_patterns) {
1197                 struct nlattr *nl_wowlan;
1198
1199                 nl_wowlan = nla_nest_start(msg,
1200                                 NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1201                 if (!nl_wowlan)
1202                         goto nla_put_failure;
1203
1204                 if (((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY) &&
1205                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1206                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT) &&
1207                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1208                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1209                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1210                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1211                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1212                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1213                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1214                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1215                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1216                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1217                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1218                     ((dev->wiphy.wowlan.flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1219                      nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1220                     goto nla_put_failure;
1221                 if (dev->wiphy.wowlan.n_patterns) {
1222                         struct nl80211_wowlan_pattern_support pat = {
1223                                 .max_patterns = dev->wiphy.wowlan.n_patterns,
1224                                 .min_pattern_len =
1225                                         dev->wiphy.wowlan.pattern_min_len,
1226                                 .max_pattern_len =
1227                                         dev->wiphy.wowlan.pattern_max_len,
1228                         };
1229                         if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1230                                     sizeof(pat), &pat))
1231                                 goto nla_put_failure;
1232                 }
1233
1234                 nla_nest_end(msg, nl_wowlan);
1235         }
1236 #endif
1237
1238         if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1239                                 dev->wiphy.software_iftypes))
1240                 goto nla_put_failure;
1241
1242         if (nl80211_put_iface_combinations(&dev->wiphy, msg))
1243                 goto nla_put_failure;
1244
1245         if ((dev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1246             nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1247                         dev->wiphy.ap_sme_capa))
1248                 goto nla_put_failure;
1249
1250         if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS,
1251                         dev->wiphy.features))
1252                 goto nla_put_failure;
1253
1254         if (dev->wiphy.ht_capa_mod_mask &&
1255             nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1256                     sizeof(*dev->wiphy.ht_capa_mod_mask),
1257                     dev->wiphy.ht_capa_mod_mask))
1258                 goto nla_put_failure;
1259
1260         return genlmsg_end(msg, hdr);
1261
1262  nla_put_failure:
1263         genlmsg_cancel(msg, hdr);
1264         return -EMSGSIZE;
1265 }
1266
1267 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
1268 {
1269         int idx = 0;
1270         int start = cb->args[0];
1271         struct cfg80211_registered_device *dev;
1272
1273         mutex_lock(&cfg80211_mutex);
1274         list_for_each_entry(dev, &cfg80211_rdev_list, list) {
1275                 if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
1276                         continue;
1277                 if (++idx <= start)
1278                         continue;
1279                 if (nl80211_send_wiphy(skb, NETLINK_CB(cb->skb).portid,
1280                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
1281                                        dev) < 0) {
1282                         idx--;
1283                         break;
1284                 }
1285         }
1286         mutex_unlock(&cfg80211_mutex);
1287
1288         cb->args[0] = idx;
1289
1290         return skb->len;
1291 }
1292
1293 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
1294 {
1295         struct sk_buff *msg;
1296         struct cfg80211_registered_device *dev = info->user_ptr[0];
1297
1298         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1299         if (!msg)
1300                 return -ENOMEM;
1301
1302         if (nl80211_send_wiphy(msg, info->snd_portid, info->snd_seq, 0, dev) < 0) {
1303                 nlmsg_free(msg);
1304                 return -ENOBUFS;
1305         }
1306
1307         return genlmsg_reply(msg, info);
1308 }
1309
1310 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
1311         [NL80211_TXQ_ATTR_QUEUE]                = { .type = NLA_U8 },
1312         [NL80211_TXQ_ATTR_TXOP]                 = { .type = NLA_U16 },
1313         [NL80211_TXQ_ATTR_CWMIN]                = { .type = NLA_U16 },
1314         [NL80211_TXQ_ATTR_CWMAX]                = { .type = NLA_U16 },
1315         [NL80211_TXQ_ATTR_AIFS]                 = { .type = NLA_U8 },
1316 };
1317
1318 static int parse_txq_params(struct nlattr *tb[],
1319                             struct ieee80211_txq_params *txq_params)
1320 {
1321         if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
1322             !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
1323             !tb[NL80211_TXQ_ATTR_AIFS])
1324                 return -EINVAL;
1325
1326         txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
1327         txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
1328         txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
1329         txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
1330         txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
1331
1332         if (txq_params->ac >= NL80211_NUM_ACS)
1333                 return -EINVAL;
1334
1335         return 0;
1336 }
1337
1338 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
1339 {
1340         /*
1341          * You can only set the channel explicitly for WDS interfaces,
1342          * all others have their channel managed via their respective
1343          * "establish a connection" command (connect, join, ...)
1344          *
1345          * For AP/GO and mesh mode, the channel can be set with the
1346          * channel userspace API, but is only stored and passed to the
1347          * low-level driver when the AP starts or the mesh is joined.
1348          * This is for backward compatibility, userspace can also give
1349          * the channel in the start-ap or join-mesh commands instead.
1350          *
1351          * Monitors are special as they are normally slaved to
1352          * whatever else is going on, so they have their own special
1353          * operation to set the monitor channel if possible.
1354          */
1355         return !wdev ||
1356                 wdev->iftype == NL80211_IFTYPE_AP ||
1357                 wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
1358                 wdev->iftype == NL80211_IFTYPE_MONITOR ||
1359                 wdev->iftype == NL80211_IFTYPE_P2P_GO;
1360 }
1361
1362 static bool nl80211_valid_channel_type(struct genl_info *info,
1363                                        enum nl80211_channel_type *channel_type)
1364 {
1365         enum nl80211_channel_type tmp;
1366
1367         if (!info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE])
1368                 return false;
1369
1370         tmp = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
1371         if (tmp != NL80211_CHAN_NO_HT &&
1372             tmp != NL80211_CHAN_HT20 &&
1373             tmp != NL80211_CHAN_HT40PLUS &&
1374             tmp != NL80211_CHAN_HT40MINUS)
1375                 return false;
1376
1377         if (channel_type)
1378                 *channel_type = tmp;
1379
1380         return true;
1381 }
1382
1383 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
1384                                  struct wireless_dev *wdev,
1385                                  struct genl_info *info)
1386 {
1387         struct ieee80211_channel *channel;
1388         enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
1389         u32 freq;
1390         int result;
1391         enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
1392
1393         if (wdev)
1394                 iftype = wdev->iftype;
1395
1396         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
1397                 return -EINVAL;
1398
1399         if (!nl80211_can_set_dev_channel(wdev))
1400                 return -EOPNOTSUPP;
1401
1402         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE] &&
1403             !nl80211_valid_channel_type(info, &channel_type))
1404                 return -EINVAL;
1405
1406         freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
1407
1408         mutex_lock(&rdev->devlist_mtx);
1409         switch (iftype) {
1410         case NL80211_IFTYPE_AP:
1411         case NL80211_IFTYPE_P2P_GO:
1412                 if (wdev->beacon_interval) {
1413                         result = -EBUSY;
1414                         break;
1415                 }
1416                 channel = rdev_freq_to_chan(rdev, freq, channel_type);
1417                 if (!channel || !cfg80211_can_beacon_sec_chan(&rdev->wiphy,
1418                                                               channel,
1419                                                               channel_type)) {
1420                         result = -EINVAL;
1421                         break;
1422                 }
1423                 wdev->preset_chan = channel;
1424                 wdev->preset_chantype = channel_type;
1425                 result = 0;
1426                 break;
1427         case NL80211_IFTYPE_MESH_POINT:
1428                 result = cfg80211_set_mesh_freq(rdev, wdev, freq, channel_type);
1429                 break;
1430         case NL80211_IFTYPE_MONITOR:
1431                 result = cfg80211_set_monitor_channel(rdev, freq, channel_type);
1432                 break;
1433         default:
1434                 result = -EINVAL;
1435         }
1436         mutex_unlock(&rdev->devlist_mtx);
1437
1438         return result;
1439 }
1440
1441 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
1442 {
1443         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1444         struct net_device *netdev = info->user_ptr[1];
1445
1446         return __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
1447 }
1448
1449 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
1450 {
1451         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1452         struct net_device *dev = info->user_ptr[1];
1453         struct wireless_dev *wdev = dev->ieee80211_ptr;
1454         const u8 *bssid;
1455
1456         if (!info->attrs[NL80211_ATTR_MAC])
1457                 return -EINVAL;
1458
1459         if (netif_running(dev))
1460                 return -EBUSY;
1461
1462         if (!rdev->ops->set_wds_peer)
1463                 return -EOPNOTSUPP;
1464
1465         if (wdev->iftype != NL80211_IFTYPE_WDS)
1466                 return -EOPNOTSUPP;
1467
1468         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
1469         return rdev_set_wds_peer(rdev, dev, bssid);
1470 }
1471
1472
1473 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
1474 {
1475         struct cfg80211_registered_device *rdev;
1476         struct net_device *netdev = NULL;
1477         struct wireless_dev *wdev;
1478         int result = 0, rem_txq_params = 0;
1479         struct nlattr *nl_txq_params;
1480         u32 changed;
1481         u8 retry_short = 0, retry_long = 0;
1482         u32 frag_threshold = 0, rts_threshold = 0;
1483         u8 coverage_class = 0;
1484
1485         /*
1486          * Try to find the wiphy and netdev. Normally this
1487          * function shouldn't need the netdev, but this is
1488          * done for backward compatibility -- previously
1489          * setting the channel was done per wiphy, but now
1490          * it is per netdev. Previous userland like hostapd
1491          * also passed a netdev to set_wiphy, so that it is
1492          * possible to let that go to the right netdev!
1493          */
1494         mutex_lock(&cfg80211_mutex);
1495
1496         if (info->attrs[NL80211_ATTR_IFINDEX]) {
1497                 int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
1498
1499                 netdev = dev_get_by_index(genl_info_net(info), ifindex);
1500                 if (netdev && netdev->ieee80211_ptr) {
1501                         rdev = wiphy_to_dev(netdev->ieee80211_ptr->wiphy);
1502                         mutex_lock(&rdev->mtx);
1503                 } else
1504                         netdev = NULL;
1505         }
1506
1507         if (!netdev) {
1508                 rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
1509                                                   info->attrs);
1510                 if (IS_ERR(rdev)) {
1511                         mutex_unlock(&cfg80211_mutex);
1512                         return PTR_ERR(rdev);
1513                 }
1514                 wdev = NULL;
1515                 netdev = NULL;
1516                 result = 0;
1517
1518                 mutex_lock(&rdev->mtx);
1519         } else if (nl80211_can_set_dev_channel(netdev->ieee80211_ptr))
1520                 wdev = netdev->ieee80211_ptr;
1521         else
1522                 wdev = NULL;
1523
1524         /*
1525          * end workaround code, by now the rdev is available
1526          * and locked, and wdev may or may not be NULL.
1527          */
1528
1529         if (info->attrs[NL80211_ATTR_WIPHY_NAME])
1530                 result = cfg80211_dev_rename(
1531                         rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
1532
1533         mutex_unlock(&cfg80211_mutex);
1534
1535         if (result)
1536                 goto bad_res;
1537
1538         if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
1539                 struct ieee80211_txq_params txq_params;
1540                 struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
1541
1542                 if (!rdev->ops->set_txq_params) {
1543                         result = -EOPNOTSUPP;
1544                         goto bad_res;
1545                 }
1546
1547                 if (!netdev) {
1548                         result = -EINVAL;
1549                         goto bad_res;
1550                 }
1551
1552                 if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
1553                     netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
1554                         result = -EINVAL;
1555                         goto bad_res;
1556                 }
1557
1558                 if (!netif_running(netdev)) {
1559                         result = -ENETDOWN;
1560                         goto bad_res;
1561                 }
1562
1563                 nla_for_each_nested(nl_txq_params,
1564                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1565                                     rem_txq_params) {
1566                         nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1567                                   nla_data(nl_txq_params),
1568                                   nla_len(nl_txq_params),
1569                                   txq_params_policy);
1570                         result = parse_txq_params(tb, &txq_params);
1571                         if (result)
1572                                 goto bad_res;
1573
1574                         result = rdev_set_txq_params(rdev, netdev,
1575                                                      &txq_params);
1576                         if (result)
1577                                 goto bad_res;
1578                 }
1579         }
1580
1581         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
1582                 result = __nl80211_set_channel(rdev, wdev, info);
1583                 if (result)
1584                         goto bad_res;
1585         }
1586
1587         if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
1588                 enum nl80211_tx_power_setting type;
1589                 int idx, mbm = 0;
1590
1591                 if (!rdev->ops->set_tx_power) {
1592                         result = -EOPNOTSUPP;
1593                         goto bad_res;
1594                 }
1595
1596                 idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
1597                 type = nla_get_u32(info->attrs[idx]);
1598
1599                 if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
1600                     (type != NL80211_TX_POWER_AUTOMATIC)) {
1601                         result = -EINVAL;
1602                         goto bad_res;
1603                 }
1604
1605                 if (type != NL80211_TX_POWER_AUTOMATIC) {
1606                         idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
1607                         mbm = nla_get_u32(info->attrs[idx]);
1608                 }
1609
1610                 result = rdev_set_tx_power(rdev, type, mbm);
1611                 if (result)
1612                         goto bad_res;
1613         }
1614
1615         if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
1616             info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
1617                 u32 tx_ant, rx_ant;
1618                 if ((!rdev->wiphy.available_antennas_tx &&
1619                      !rdev->wiphy.available_antennas_rx) ||
1620                     !rdev->ops->set_antenna) {
1621                         result = -EOPNOTSUPP;
1622                         goto bad_res;
1623                 }
1624
1625                 tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
1626                 rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
1627
1628                 /* reject antenna configurations which don't match the
1629                  * available antenna masks, except for the "all" mask */
1630                 if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
1631                     (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
1632                         result = -EINVAL;
1633                         goto bad_res;
1634                 }
1635
1636                 tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
1637                 rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
1638
1639                 result = rdev_set_antenna(rdev, tx_ant, rx_ant);
1640                 if (result)
1641                         goto bad_res;
1642         }
1643
1644         changed = 0;
1645
1646         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
1647                 retry_short = nla_get_u8(
1648                         info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
1649                 if (retry_short == 0) {
1650                         result = -EINVAL;
1651                         goto bad_res;
1652                 }
1653                 changed |= WIPHY_PARAM_RETRY_SHORT;
1654         }
1655
1656         if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
1657                 retry_long = nla_get_u8(
1658                         info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
1659                 if (retry_long == 0) {
1660                         result = -EINVAL;
1661                         goto bad_res;
1662                 }
1663                 changed |= WIPHY_PARAM_RETRY_LONG;
1664         }
1665
1666         if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
1667                 frag_threshold = nla_get_u32(
1668                         info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
1669                 if (frag_threshold < 256) {
1670                         result = -EINVAL;
1671                         goto bad_res;
1672                 }
1673                 if (frag_threshold != (u32) -1) {
1674                         /*
1675                          * Fragments (apart from the last one) are required to
1676                          * have even length. Make the fragmentation code
1677                          * simpler by stripping LSB should someone try to use
1678                          * odd threshold value.
1679                          */
1680                         frag_threshold &= ~0x1;
1681                 }
1682                 changed |= WIPHY_PARAM_FRAG_THRESHOLD;
1683         }
1684
1685         if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
1686                 rts_threshold = nla_get_u32(
1687                         info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
1688                 changed |= WIPHY_PARAM_RTS_THRESHOLD;
1689         }
1690
1691         if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
1692                 coverage_class = nla_get_u8(
1693                         info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
1694                 changed |= WIPHY_PARAM_COVERAGE_CLASS;
1695         }
1696
1697         if (changed) {
1698                 u8 old_retry_short, old_retry_long;
1699                 u32 old_frag_threshold, old_rts_threshold;
1700                 u8 old_coverage_class;
1701
1702                 if (!rdev->ops->set_wiphy_params) {
1703                         result = -EOPNOTSUPP;
1704                         goto bad_res;
1705                 }
1706
1707                 old_retry_short = rdev->wiphy.retry_short;
1708                 old_retry_long = rdev->wiphy.retry_long;
1709                 old_frag_threshold = rdev->wiphy.frag_threshold;
1710                 old_rts_threshold = rdev->wiphy.rts_threshold;
1711                 old_coverage_class = rdev->wiphy.coverage_class;
1712
1713                 if (changed & WIPHY_PARAM_RETRY_SHORT)
1714                         rdev->wiphy.retry_short = retry_short;
1715                 if (changed & WIPHY_PARAM_RETRY_LONG)
1716                         rdev->wiphy.retry_long = retry_long;
1717                 if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
1718                         rdev->wiphy.frag_threshold = frag_threshold;
1719                 if (changed & WIPHY_PARAM_RTS_THRESHOLD)
1720                         rdev->wiphy.rts_threshold = rts_threshold;
1721                 if (changed & WIPHY_PARAM_COVERAGE_CLASS)
1722                         rdev->wiphy.coverage_class = coverage_class;
1723
1724                 result = rdev_set_wiphy_params(rdev, changed);
1725                 if (result) {
1726                         rdev->wiphy.retry_short = old_retry_short;
1727                         rdev->wiphy.retry_long = old_retry_long;
1728                         rdev->wiphy.frag_threshold = old_frag_threshold;
1729                         rdev->wiphy.rts_threshold = old_rts_threshold;
1730                         rdev->wiphy.coverage_class = old_coverage_class;
1731                 }
1732         }
1733
1734  bad_res:
1735         mutex_unlock(&rdev->mtx);
1736         if (netdev)
1737                 dev_put(netdev);
1738         return result;
1739 }
1740
1741 static inline u64 wdev_id(struct wireless_dev *wdev)
1742 {
1743         return (u64)wdev->identifier |
1744                ((u64)wiphy_to_dev(wdev->wiphy)->wiphy_idx << 32);
1745 }
1746
1747 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
1748                               struct cfg80211_registered_device *rdev,
1749                               struct wireless_dev *wdev)
1750 {
1751         struct net_device *dev = wdev->netdev;
1752         void *hdr;
1753
1754         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_INTERFACE);
1755         if (!hdr)
1756                 return -1;
1757
1758         if (dev &&
1759             (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
1760              nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
1761                 goto nla_put_failure;
1762
1763         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1764             nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
1765             nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
1766             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
1767             nla_put_u32(msg, NL80211_ATTR_GENERATION,
1768                         rdev->devlist_generation ^
1769                         (cfg80211_rdev_list_generation << 2)))
1770                 goto nla_put_failure;
1771
1772         if (rdev->ops->get_channel) {
1773                 struct ieee80211_channel *chan;
1774                 enum nl80211_channel_type channel_type;
1775
1776                 chan = rdev_get_channel(rdev, wdev, &channel_type);
1777                 if (chan &&
1778                     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
1779                                  chan->center_freq) ||
1780                      nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
1781                                  channel_type)))
1782                         goto nla_put_failure;
1783         }
1784
1785         return genlmsg_end(msg, hdr);
1786
1787  nla_put_failure:
1788         genlmsg_cancel(msg, hdr);
1789         return -EMSGSIZE;
1790 }
1791
1792 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
1793 {
1794         int wp_idx = 0;
1795         int if_idx = 0;
1796         int wp_start = cb->args[0];
1797         int if_start = cb->args[1];
1798         struct cfg80211_registered_device *rdev;
1799         struct wireless_dev *wdev;
1800
1801         mutex_lock(&cfg80211_mutex);
1802         list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
1803                 if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
1804                         continue;
1805                 if (wp_idx < wp_start) {
1806                         wp_idx++;
1807                         continue;
1808                 }
1809                 if_idx = 0;
1810
1811                 mutex_lock(&rdev->devlist_mtx);
1812                 list_for_each_entry(wdev, &rdev->wdev_list, list) {
1813                         if (if_idx < if_start) {
1814                                 if_idx++;
1815                                 continue;
1816                         }
1817                         if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
1818                                                cb->nlh->nlmsg_seq, NLM_F_MULTI,
1819                                                rdev, wdev) < 0) {
1820                                 mutex_unlock(&rdev->devlist_mtx);
1821                                 goto out;
1822                         }
1823                         if_idx++;
1824                 }
1825                 mutex_unlock(&rdev->devlist_mtx);
1826
1827                 wp_idx++;
1828         }
1829  out:
1830         mutex_unlock(&cfg80211_mutex);
1831
1832         cb->args[0] = wp_idx;
1833         cb->args[1] = if_idx;
1834
1835         return skb->len;
1836 }
1837
1838 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
1839 {
1840         struct sk_buff *msg;
1841         struct cfg80211_registered_device *dev = info->user_ptr[0];
1842         struct wireless_dev *wdev = info->user_ptr[1];
1843
1844         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1845         if (!msg)
1846                 return -ENOMEM;
1847
1848         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
1849                                dev, wdev) < 0) {
1850                 nlmsg_free(msg);
1851                 return -ENOBUFS;
1852         }
1853
1854         return genlmsg_reply(msg, info);
1855 }
1856
1857 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
1858         [NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
1859         [NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
1860         [NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
1861         [NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
1862         [NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
1863 };
1864
1865 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
1866 {
1867         struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
1868         int flag;
1869
1870         *mntrflags = 0;
1871
1872         if (!nla)
1873                 return -EINVAL;
1874
1875         if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX,
1876                              nla, mntr_flags_policy))
1877                 return -EINVAL;
1878
1879         for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
1880                 if (flags[flag])
1881                         *mntrflags |= (1<<flag);
1882
1883         return 0;
1884 }
1885
1886 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
1887                                struct net_device *netdev, u8 use_4addr,
1888                                enum nl80211_iftype iftype)
1889 {
1890         if (!use_4addr) {
1891                 if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
1892                         return -EBUSY;
1893                 return 0;
1894         }
1895
1896         switch (iftype) {
1897         case NL80211_IFTYPE_AP_VLAN:
1898                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
1899                         return 0;
1900                 break;
1901         case NL80211_IFTYPE_STATION:
1902                 if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
1903                         return 0;
1904                 break;
1905         default:
1906                 break;
1907         }
1908
1909         return -EOPNOTSUPP;
1910 }
1911
1912 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
1913 {
1914         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1915         struct vif_params params;
1916         int err;
1917         enum nl80211_iftype otype, ntype;
1918         struct net_device *dev = info->user_ptr[1];
1919         u32 _flags, *flags = NULL;
1920         bool change = false;
1921
1922         memset(&params, 0, sizeof(params));
1923
1924         otype = ntype = dev->ieee80211_ptr->iftype;
1925
1926         if (info->attrs[NL80211_ATTR_IFTYPE]) {
1927                 ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
1928                 if (otype != ntype)
1929                         change = true;
1930                 if (ntype > NL80211_IFTYPE_MAX)
1931                         return -EINVAL;
1932         }
1933
1934         if (info->attrs[NL80211_ATTR_MESH_ID]) {
1935                 struct wireless_dev *wdev = dev->ieee80211_ptr;
1936
1937                 if (ntype != NL80211_IFTYPE_MESH_POINT)
1938                         return -EINVAL;
1939                 if (netif_running(dev))
1940                         return -EBUSY;
1941
1942                 wdev_lock(wdev);
1943                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
1944                              IEEE80211_MAX_MESH_ID_LEN);
1945                 wdev->mesh_id_up_len =
1946                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
1947                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
1948                        wdev->mesh_id_up_len);
1949                 wdev_unlock(wdev);
1950         }
1951
1952         if (info->attrs[NL80211_ATTR_4ADDR]) {
1953                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
1954                 change = true;
1955                 err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
1956                 if (err)
1957                         return err;
1958         } else {
1959                 params.use_4addr = -1;
1960         }
1961
1962         if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
1963                 if (ntype != NL80211_IFTYPE_MONITOR)
1964                         return -EINVAL;
1965                 err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
1966                                           &_flags);
1967                 if (err)
1968                         return err;
1969
1970                 flags = &_flags;
1971                 change = true;
1972         }
1973
1974         if (change)
1975                 err = cfg80211_change_iface(rdev, dev, ntype, flags, &params);
1976         else
1977                 err = 0;
1978
1979         if (!err && params.use_4addr != -1)
1980                 dev->ieee80211_ptr->use_4addr = params.use_4addr;
1981
1982         return err;
1983 }
1984
1985 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
1986 {
1987         struct cfg80211_registered_device *rdev = info->user_ptr[0];
1988         struct vif_params params;
1989         struct wireless_dev *wdev;
1990         struct sk_buff *msg;
1991         int err;
1992         enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
1993         u32 flags;
1994
1995         memset(&params, 0, sizeof(params));
1996
1997         if (!info->attrs[NL80211_ATTR_IFNAME])
1998                 return -EINVAL;
1999
2000         if (info->attrs[NL80211_ATTR_IFTYPE]) {
2001                 type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
2002                 if (type > NL80211_IFTYPE_MAX)
2003                         return -EINVAL;
2004         }
2005
2006         if (!rdev->ops->add_virtual_intf ||
2007             !(rdev->wiphy.interface_modes & (1 << type)))
2008                 return -EOPNOTSUPP;
2009
2010         if (info->attrs[NL80211_ATTR_4ADDR]) {
2011                 params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
2012                 err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
2013                 if (err)
2014                         return err;
2015         }
2016
2017         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2018         if (!msg)
2019                 return -ENOMEM;
2020
2021         err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
2022                                   info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
2023                                   &flags);
2024         wdev = rdev_add_virtual_intf(rdev,
2025                                 nla_data(info->attrs[NL80211_ATTR_IFNAME]),
2026                                 type, err ? NULL : &flags, &params);
2027         if (IS_ERR(wdev)) {
2028                 nlmsg_free(msg);
2029                 return PTR_ERR(wdev);
2030         }
2031
2032         switch (type) {
2033         case NL80211_IFTYPE_MESH_POINT:
2034                 if (!info->attrs[NL80211_ATTR_MESH_ID])
2035                         break;
2036                 wdev_lock(wdev);
2037                 BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
2038                              IEEE80211_MAX_MESH_ID_LEN);
2039                 wdev->mesh_id_up_len =
2040                         nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
2041                 memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
2042                        wdev->mesh_id_up_len);
2043                 wdev_unlock(wdev);
2044                 break;
2045         case NL80211_IFTYPE_P2P_DEVICE:
2046                 /*
2047                  * P2P Device doesn't have a netdev, so doesn't go
2048                  * through the netdev notifier and must be added here
2049                  */
2050                 mutex_init(&wdev->mtx);
2051                 INIT_LIST_HEAD(&wdev->event_list);
2052                 spin_lock_init(&wdev->event_lock);
2053                 INIT_LIST_HEAD(&wdev->mgmt_registrations);
2054                 spin_lock_init(&wdev->mgmt_registrations_lock);
2055
2056                 mutex_lock(&rdev->devlist_mtx);
2057                 wdev->identifier = ++rdev->wdev_id;
2058                 list_add_rcu(&wdev->list, &rdev->wdev_list);
2059                 rdev->devlist_generation++;
2060                 mutex_unlock(&rdev->devlist_mtx);
2061                 break;
2062         default:
2063                 break;
2064         }
2065
2066         if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2067                                rdev, wdev) < 0) {
2068                 nlmsg_free(msg);
2069                 return -ENOBUFS;
2070         }
2071
2072         return genlmsg_reply(msg, info);
2073 }
2074
2075 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
2076 {
2077         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2078         struct wireless_dev *wdev = info->user_ptr[1];
2079
2080         if (!rdev->ops->del_virtual_intf)
2081                 return -EOPNOTSUPP;
2082
2083         /*
2084          * If we remove a wireless device without a netdev then clear
2085          * user_ptr[1] so that nl80211_post_doit won't dereference it
2086          * to check if it needs to do dev_put(). Otherwise it crashes
2087          * since the wdev has been freed, unlike with a netdev where
2088          * we need the dev_put() for the netdev to really be freed.
2089          */
2090         if (!wdev->netdev)
2091                 info->user_ptr[1] = NULL;
2092
2093         return rdev_del_virtual_intf(rdev, wdev);
2094 }
2095
2096 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
2097 {
2098         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2099         struct net_device *dev = info->user_ptr[1];
2100         u16 noack_map;
2101
2102         if (!info->attrs[NL80211_ATTR_NOACK_MAP])
2103                 return -EINVAL;
2104
2105         if (!rdev->ops->set_noack_map)
2106                 return -EOPNOTSUPP;
2107
2108         noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
2109
2110         return rdev_set_noack_map(rdev, dev, noack_map);
2111 }
2112
2113 struct get_key_cookie {
2114         struct sk_buff *msg;
2115         int error;
2116         int idx;
2117 };
2118
2119 static void get_key_callback(void *c, struct key_params *params)
2120 {
2121         struct nlattr *key;
2122         struct get_key_cookie *cookie = c;
2123
2124         if ((params->key &&
2125              nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
2126                      params->key_len, params->key)) ||
2127             (params->seq &&
2128              nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
2129                      params->seq_len, params->seq)) ||
2130             (params->cipher &&
2131              nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
2132                          params->cipher)))
2133                 goto nla_put_failure;
2134
2135         key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
2136         if (!key)
2137                 goto nla_put_failure;
2138
2139         if ((params->key &&
2140              nla_put(cookie->msg, NL80211_KEY_DATA,
2141                      params->key_len, params->key)) ||
2142             (params->seq &&
2143              nla_put(cookie->msg, NL80211_KEY_SEQ,
2144                      params->seq_len, params->seq)) ||
2145             (params->cipher &&
2146              nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
2147                          params->cipher)))
2148                 goto nla_put_failure;
2149
2150         if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
2151                 goto nla_put_failure;
2152
2153         nla_nest_end(cookie->msg, key);
2154
2155         return;
2156  nla_put_failure:
2157         cookie->error = 1;
2158 }
2159
2160 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
2161 {
2162         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2163         int err;
2164         struct net_device *dev = info->user_ptr[1];
2165         u8 key_idx = 0;
2166         const u8 *mac_addr = NULL;
2167         bool pairwise;
2168         struct get_key_cookie cookie = {
2169                 .error = 0,
2170         };
2171         void *hdr;
2172         struct sk_buff *msg;
2173
2174         if (info->attrs[NL80211_ATTR_KEY_IDX])
2175                 key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
2176
2177         if (key_idx > 5)
2178                 return -EINVAL;
2179
2180         if (info->attrs[NL80211_ATTR_MAC])
2181                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2182
2183         pairwise = !!mac_addr;
2184         if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
2185                 u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
2186                 if (kt >= NUM_NL80211_KEYTYPES)
2187                         return -EINVAL;
2188                 if (kt != NL80211_KEYTYPE_GROUP &&
2189                     kt != NL80211_KEYTYPE_PAIRWISE)
2190                         return -EINVAL;
2191                 pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
2192         }
2193
2194         if (!rdev->ops->get_key)
2195                 return -EOPNOTSUPP;
2196
2197         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2198         if (!msg)
2199                 return -ENOMEM;
2200
2201         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
2202                              NL80211_CMD_NEW_KEY);
2203         if (IS_ERR(hdr))
2204                 return PTR_ERR(hdr);
2205
2206         cookie.msg = msg;
2207         cookie.idx = key_idx;
2208
2209         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2210             nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
2211                 goto nla_put_failure;
2212         if (mac_addr &&
2213             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2214                 goto nla_put_failure;
2215
2216         if (pairwise && mac_addr &&
2217             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2218                 return -ENOENT;
2219
2220         err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2221                            get_key_callback);
2222
2223         if (err)
2224                 goto free_msg;
2225
2226         if (cookie.error)
2227                 goto nla_put_failure;
2228
2229         genlmsg_end(msg, hdr);
2230         return genlmsg_reply(msg, info);
2231
2232  nla_put_failure:
2233         err = -ENOBUFS;
2234  free_msg:
2235         nlmsg_free(msg);
2236         return err;
2237 }
2238
2239 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
2240 {
2241         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2242         struct key_parse key;
2243         int err;
2244         struct net_device *dev = info->user_ptr[1];
2245
2246         err = nl80211_parse_key(info, &key);
2247         if (err)
2248                 return err;
2249
2250         if (key.idx < 0)
2251                 return -EINVAL;
2252
2253         /* only support setting default key */
2254         if (!key.def && !key.defmgmt)
2255                 return -EINVAL;
2256
2257         wdev_lock(dev->ieee80211_ptr);
2258
2259         if (key.def) {
2260                 if (!rdev->ops->set_default_key) {
2261                         err = -EOPNOTSUPP;
2262                         goto out;
2263                 }
2264
2265                 err = nl80211_key_allowed(dev->ieee80211_ptr);
2266                 if (err)
2267                         goto out;
2268
2269                 err = rdev_set_default_key(rdev, dev, key.idx,
2270                                                  key.def_uni, key.def_multi);
2271
2272                 if (err)
2273                         goto out;
2274
2275 #ifdef CONFIG_CFG80211_WEXT
2276                 dev->ieee80211_ptr->wext.default_key = key.idx;
2277 #endif
2278         } else {
2279                 if (key.def_uni || !key.def_multi) {
2280                         err = -EINVAL;
2281                         goto out;
2282                 }
2283
2284                 if (!rdev->ops->set_default_mgmt_key) {
2285                         err = -EOPNOTSUPP;
2286                         goto out;
2287                 }
2288
2289                 err = nl80211_key_allowed(dev->ieee80211_ptr);
2290                 if (err)
2291                         goto out;
2292
2293                 err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
2294                 if (err)
2295                         goto out;
2296
2297 #ifdef CONFIG_CFG80211_WEXT
2298                 dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
2299 #endif
2300         }
2301
2302  out:
2303         wdev_unlock(dev->ieee80211_ptr);
2304
2305         return err;
2306 }
2307
2308 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
2309 {
2310         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2311         int err;
2312         struct net_device *dev = info->user_ptr[1];
2313         struct key_parse key;
2314         const u8 *mac_addr = NULL;
2315
2316         err = nl80211_parse_key(info, &key);
2317         if (err)
2318                 return err;
2319
2320         if (!key.p.key)
2321                 return -EINVAL;
2322
2323         if (info->attrs[NL80211_ATTR_MAC])
2324                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2325
2326         if (key.type == -1) {
2327                 if (mac_addr)
2328                         key.type = NL80211_KEYTYPE_PAIRWISE;
2329                 else
2330                         key.type = NL80211_KEYTYPE_GROUP;
2331         }
2332
2333         /* for now */
2334         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2335             key.type != NL80211_KEYTYPE_GROUP)
2336                 return -EINVAL;
2337
2338         if (!rdev->ops->add_key)
2339                 return -EOPNOTSUPP;
2340
2341         if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
2342                                            key.type == NL80211_KEYTYPE_PAIRWISE,
2343                                            mac_addr))
2344                 return -EINVAL;
2345
2346         wdev_lock(dev->ieee80211_ptr);
2347         err = nl80211_key_allowed(dev->ieee80211_ptr);
2348         if (!err)
2349                 err = rdev_add_key(rdev, dev, key.idx,
2350                                    key.type == NL80211_KEYTYPE_PAIRWISE,
2351                                     mac_addr, &key.p);
2352         wdev_unlock(dev->ieee80211_ptr);
2353
2354         return err;
2355 }
2356
2357 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
2358 {
2359         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2360         int err;
2361         struct net_device *dev = info->user_ptr[1];
2362         u8 *mac_addr = NULL;
2363         struct key_parse key;
2364
2365         err = nl80211_parse_key(info, &key);
2366         if (err)
2367                 return err;
2368
2369         if (info->attrs[NL80211_ATTR_MAC])
2370                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2371
2372         if (key.type == -1) {
2373                 if (mac_addr)
2374                         key.type = NL80211_KEYTYPE_PAIRWISE;
2375                 else
2376                         key.type = NL80211_KEYTYPE_GROUP;
2377         }
2378
2379         /* for now */
2380         if (key.type != NL80211_KEYTYPE_PAIRWISE &&
2381             key.type != NL80211_KEYTYPE_GROUP)
2382                 return -EINVAL;
2383
2384         if (!rdev->ops->del_key)
2385                 return -EOPNOTSUPP;
2386
2387         wdev_lock(dev->ieee80211_ptr);
2388         err = nl80211_key_allowed(dev->ieee80211_ptr);
2389
2390         if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
2391             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2392                 err = -ENOENT;
2393
2394         if (!err)
2395                 err = rdev_del_key(rdev, dev, key.idx,
2396                                    key.type == NL80211_KEYTYPE_PAIRWISE,
2397                                    mac_addr);
2398
2399 #ifdef CONFIG_CFG80211_WEXT
2400         if (!err) {
2401                 if (key.idx == dev->ieee80211_ptr->wext.default_key)
2402                         dev->ieee80211_ptr->wext.default_key = -1;
2403                 else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
2404                         dev->ieee80211_ptr->wext.default_mgmt_key = -1;
2405         }
2406 #endif
2407         wdev_unlock(dev->ieee80211_ptr);
2408
2409         return err;
2410 }
2411
2412 static int nl80211_parse_beacon(struct genl_info *info,
2413                                 struct cfg80211_beacon_data *bcn)
2414 {
2415         bool haveinfo = false;
2416
2417         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]) ||
2418             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]) ||
2419             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
2420             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]))
2421                 return -EINVAL;
2422
2423         memset(bcn, 0, sizeof(*bcn));
2424
2425         if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
2426                 bcn->head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2427                 bcn->head_len = nla_len(info->attrs[NL80211_ATTR_BEACON_HEAD]);
2428                 if (!bcn->head_len)
2429                         return -EINVAL;
2430                 haveinfo = true;
2431         }
2432
2433         if (info->attrs[NL80211_ATTR_BEACON_TAIL]) {
2434                 bcn->tail = nla_data(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2435                 bcn->tail_len =
2436                     nla_len(info->attrs[NL80211_ATTR_BEACON_TAIL]);
2437                 haveinfo = true;
2438         }
2439
2440         if (!haveinfo)
2441                 return -EINVAL;
2442
2443         if (info->attrs[NL80211_ATTR_IE]) {
2444                 bcn->beacon_ies = nla_data(info->attrs[NL80211_ATTR_IE]);
2445                 bcn->beacon_ies_len = nla_len(info->attrs[NL80211_ATTR_IE]);
2446         }
2447
2448         if (info->attrs[NL80211_ATTR_IE_PROBE_RESP]) {
2449                 bcn->proberesp_ies =
2450                         nla_data(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2451                 bcn->proberesp_ies_len =
2452                         nla_len(info->attrs[NL80211_ATTR_IE_PROBE_RESP]);
2453         }
2454
2455         if (info->attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
2456                 bcn->assocresp_ies =
2457                         nla_data(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2458                 bcn->assocresp_ies_len =
2459                         nla_len(info->attrs[NL80211_ATTR_IE_ASSOC_RESP]);
2460         }
2461
2462         if (info->attrs[NL80211_ATTR_PROBE_RESP]) {
2463                 bcn->probe_resp =
2464                         nla_data(info->attrs[NL80211_ATTR_PROBE_RESP]);
2465                 bcn->probe_resp_len =
2466                         nla_len(info->attrs[NL80211_ATTR_PROBE_RESP]);
2467         }
2468
2469         return 0;
2470 }
2471
2472 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
2473                                    struct cfg80211_ap_settings *params)
2474 {
2475         struct wireless_dev *wdev;
2476         bool ret = false;
2477
2478         mutex_lock(&rdev->devlist_mtx);
2479
2480         list_for_each_entry(wdev, &rdev->wdev_list, list) {
2481                 if (wdev->iftype != NL80211_IFTYPE_AP &&
2482                     wdev->iftype != NL80211_IFTYPE_P2P_GO)
2483                         continue;
2484
2485                 if (!wdev->preset_chan)
2486                         continue;
2487
2488                 params->channel = wdev->preset_chan;
2489                 params->channel_type = wdev->preset_chantype;
2490                 ret = true;
2491                 break;
2492         }
2493
2494         mutex_unlock(&rdev->devlist_mtx);
2495
2496         return ret;
2497 }
2498
2499 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
2500                                     enum nl80211_auth_type auth_type,
2501                                     enum nl80211_commands cmd)
2502 {
2503         if (auth_type > NL80211_AUTHTYPE_MAX)
2504                 return false;
2505
2506         switch (cmd) {
2507         case NL80211_CMD_AUTHENTICATE:
2508                 if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
2509                     auth_type == NL80211_AUTHTYPE_SAE)
2510                         return false;
2511                 return true;
2512         case NL80211_CMD_CONNECT:
2513         case NL80211_CMD_START_AP:
2514                 /* SAE not supported yet */
2515                 if (auth_type == NL80211_AUTHTYPE_SAE)
2516                         return false;
2517                 return true;
2518         default:
2519                 return false;
2520         }
2521 }
2522
2523 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
2524 {
2525         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2526         struct net_device *dev = info->user_ptr[1];
2527         struct wireless_dev *wdev = dev->ieee80211_ptr;
2528         struct cfg80211_ap_settings params;
2529         int err;
2530
2531         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2532             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2533                 return -EOPNOTSUPP;
2534
2535         if (!rdev->ops->start_ap)
2536                 return -EOPNOTSUPP;
2537
2538         if (wdev->beacon_interval)
2539                 return -EALREADY;
2540
2541         memset(&params, 0, sizeof(params));
2542
2543         /* these are required for START_AP */
2544         if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
2545             !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
2546             !info->attrs[NL80211_ATTR_BEACON_HEAD])
2547                 return -EINVAL;
2548
2549         err = nl80211_parse_beacon(info, &params.beacon);
2550         if (err)
2551                 return err;
2552
2553         params.beacon_interval =
2554                 nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
2555         params.dtim_period =
2556                 nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
2557
2558         err = cfg80211_validate_beacon_int(rdev, params.beacon_interval);
2559         if (err)
2560                 return err;
2561
2562         /*
2563          * In theory, some of these attributes should be required here
2564          * but since they were not used when the command was originally
2565          * added, keep them optional for old user space programs to let
2566          * them continue to work with drivers that do not need the
2567          * additional information -- drivers must check!
2568          */
2569         if (info->attrs[NL80211_ATTR_SSID]) {
2570                 params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
2571                 params.ssid_len =
2572                         nla_len(info->attrs[NL80211_ATTR_SSID]);
2573                 if (params.ssid_len == 0 ||
2574                     params.ssid_len > IEEE80211_MAX_SSID_LEN)
2575                         return -EINVAL;
2576         }
2577
2578         if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
2579                 params.hidden_ssid = nla_get_u32(
2580                         info->attrs[NL80211_ATTR_HIDDEN_SSID]);
2581                 if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
2582                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
2583                     params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
2584                         return -EINVAL;
2585         }
2586
2587         params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
2588
2589         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
2590                 params.auth_type = nla_get_u32(
2591                         info->attrs[NL80211_ATTR_AUTH_TYPE]);
2592                 if (!nl80211_valid_auth_type(rdev, params.auth_type,
2593                                              NL80211_CMD_START_AP))
2594                         return -EINVAL;
2595         } else
2596                 params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
2597
2598         err = nl80211_crypto_settings(rdev, info, &params.crypto,
2599                                       NL80211_MAX_NR_CIPHER_SUITES);
2600         if (err)
2601                 return err;
2602
2603         if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
2604                 if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
2605                         return -EOPNOTSUPP;
2606                 params.inactivity_timeout = nla_get_u16(
2607                         info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
2608         }
2609
2610         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2611                 enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
2612
2613                 if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE] &&
2614                     !nl80211_valid_channel_type(info, &channel_type))
2615                         return -EINVAL;
2616
2617                 params.channel = rdev_freq_to_chan(rdev,
2618                         nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]),
2619                         channel_type);
2620                 if (!params.channel)
2621                         return -EINVAL;
2622                 params.channel_type = channel_type;
2623         } else if (wdev->preset_chan) {
2624                 params.channel = wdev->preset_chan;
2625                 params.channel_type = wdev->preset_chantype;
2626         } else if (!nl80211_get_ap_channel(rdev, &params))
2627                 return -EINVAL;
2628
2629         if (!cfg80211_can_beacon_sec_chan(&rdev->wiphy, params.channel,
2630                                           params.channel_type))
2631                 return -EINVAL;
2632
2633         mutex_lock(&rdev->devlist_mtx);
2634         err = cfg80211_can_use_chan(rdev, wdev, params.channel,
2635                                     CHAN_MODE_SHARED);
2636         mutex_unlock(&rdev->devlist_mtx);
2637
2638         if (err)
2639                 return err;
2640
2641         err = rdev_start_ap(rdev, dev, &params);
2642         if (!err) {
2643                 wdev->preset_chan = params.channel;
2644                 wdev->preset_chantype = params.channel_type;
2645                 wdev->beacon_interval = params.beacon_interval;
2646                 wdev->channel = params.channel;
2647         }
2648         return err;
2649 }
2650
2651 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
2652 {
2653         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2654         struct net_device *dev = info->user_ptr[1];
2655         struct wireless_dev *wdev = dev->ieee80211_ptr;
2656         struct cfg80211_beacon_data params;
2657         int err;
2658
2659         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2660             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2661                 return -EOPNOTSUPP;
2662
2663         if (!rdev->ops->change_beacon)
2664                 return -EOPNOTSUPP;
2665
2666         if (!wdev->beacon_interval)
2667                 return -EINVAL;
2668
2669         err = nl80211_parse_beacon(info, &params);
2670         if (err)
2671                 return err;
2672
2673         return rdev_change_beacon(rdev, dev, &params);
2674 }
2675
2676 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
2677 {
2678         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2679         struct net_device *dev = info->user_ptr[1];
2680
2681         return cfg80211_stop_ap(rdev, dev);
2682 }
2683
2684 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
2685         [NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
2686         [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
2687         [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
2688         [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
2689         [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
2690         [NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
2691 };
2692
2693 static int parse_station_flags(struct genl_info *info,
2694                                enum nl80211_iftype iftype,
2695                                struct station_parameters *params)
2696 {
2697         struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
2698         struct nlattr *nla;
2699         int flag;
2700
2701         /*
2702          * Try parsing the new attribute first so userspace
2703          * can specify both for older kernels.
2704          */
2705         nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
2706         if (nla) {
2707                 struct nl80211_sta_flag_update *sta_flags;
2708
2709                 sta_flags = nla_data(nla);
2710                 params->sta_flags_mask = sta_flags->mask;
2711                 params->sta_flags_set = sta_flags->set;
2712                 if ((params->sta_flags_mask |
2713                      params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
2714                         return -EINVAL;
2715                 return 0;
2716         }
2717
2718         /* if present, parse the old attribute */
2719
2720         nla = info->attrs[NL80211_ATTR_STA_FLAGS];
2721         if (!nla)
2722                 return 0;
2723
2724         if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX,
2725                              nla, sta_flags_policy))
2726                 return -EINVAL;
2727
2728         /*
2729          * Only allow certain flags for interface types so that
2730          * other attributes are silently ignored. Remember that
2731          * this is backward compatibility code with old userspace
2732          * and shouldn't be hit in other cases anyway.
2733          */
2734         switch (iftype) {
2735         case NL80211_IFTYPE_AP:
2736         case NL80211_IFTYPE_AP_VLAN:
2737         case NL80211_IFTYPE_P2P_GO:
2738                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2739                                          BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
2740                                          BIT(NL80211_STA_FLAG_WME) |
2741                                          BIT(NL80211_STA_FLAG_MFP);
2742                 break;
2743         case NL80211_IFTYPE_P2P_CLIENT:
2744         case NL80211_IFTYPE_STATION:
2745                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2746                                          BIT(NL80211_STA_FLAG_TDLS_PEER);
2747                 break;
2748         case NL80211_IFTYPE_MESH_POINT:
2749                 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
2750                                          BIT(NL80211_STA_FLAG_MFP) |
2751                                          BIT(NL80211_STA_FLAG_AUTHORIZED);
2752         default:
2753                 return -EINVAL;
2754         }
2755
2756         for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
2757                 if (flags[flag]) {
2758                         params->sta_flags_set |= (1<<flag);
2759
2760                         /* no longer support new API additions in old API */
2761                         if (flag > NL80211_STA_FLAG_MAX_OLD_API)
2762                                 return -EINVAL;
2763                 }
2764         }
2765
2766         return 0;
2767 }
2768
2769 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
2770                                  int attr)
2771 {
2772         struct nlattr *rate;
2773         u32 bitrate;
2774         u16 bitrate_compat;
2775
2776         rate = nla_nest_start(msg, attr);
2777         if (!rate)
2778                 goto nla_put_failure;
2779
2780         /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
2781         bitrate = cfg80211_calculate_bitrate(info);
2782         /* report 16-bit bitrate only if we can */
2783         bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
2784         if ((bitrate > 0 &&
2785              nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate)) ||
2786             (bitrate_compat > 0 &&
2787              nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat)) ||
2788             ((info->flags & RATE_INFO_FLAGS_MCS) &&
2789              nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs)) ||
2790             ((info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH) &&
2791              nla_put_flag(msg, NL80211_RATE_INFO_40_MHZ_WIDTH)) ||
2792             ((info->flags & RATE_INFO_FLAGS_SHORT_GI) &&
2793              nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI)))
2794                 goto nla_put_failure;
2795
2796         nla_nest_end(msg, rate);
2797         return true;
2798
2799 nla_put_failure:
2800         return false;
2801 }
2802
2803 static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
2804                                 int flags,
2805                                 struct cfg80211_registered_device *rdev,
2806                                 struct net_device *dev,
2807                                 const u8 *mac_addr, struct station_info *sinfo)
2808 {
2809         void *hdr;
2810         struct nlattr *sinfoattr, *bss_param;
2811
2812         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
2813         if (!hdr)
2814                 return -1;
2815
2816         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2817             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
2818             nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
2819                 goto nla_put_failure;
2820
2821         sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
2822         if (!sinfoattr)
2823                 goto nla_put_failure;
2824         if ((sinfo->filled & STATION_INFO_CONNECTED_TIME) &&
2825             nla_put_u32(msg, NL80211_STA_INFO_CONNECTED_TIME,
2826                         sinfo->connected_time))
2827                 goto nla_put_failure;
2828         if ((sinfo->filled & STATION_INFO_INACTIVE_TIME) &&
2829             nla_put_u32(msg, NL80211_STA_INFO_INACTIVE_TIME,
2830                         sinfo->inactive_time))
2831                 goto nla_put_failure;
2832         if ((sinfo->filled & STATION_INFO_RX_BYTES) &&
2833             nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
2834                         sinfo->rx_bytes))
2835                 goto nla_put_failure;
2836         if ((sinfo->filled & STATION_INFO_TX_BYTES) &&
2837             nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
2838                         sinfo->tx_bytes))
2839                 goto nla_put_failure;
2840         if ((sinfo->filled & STATION_INFO_LLID) &&
2841             nla_put_u16(msg, NL80211_STA_INFO_LLID, sinfo->llid))
2842                 goto nla_put_failure;
2843         if ((sinfo->filled & STATION_INFO_PLID) &&
2844             nla_put_u16(msg, NL80211_STA_INFO_PLID, sinfo->plid))
2845                 goto nla_put_failure;
2846         if ((sinfo->filled & STATION_INFO_PLINK_STATE) &&
2847             nla_put_u8(msg, NL80211_STA_INFO_PLINK_STATE,
2848                        sinfo->plink_state))
2849                 goto nla_put_failure;
2850         switch (rdev->wiphy.signal_type) {
2851         case CFG80211_SIGNAL_TYPE_MBM:
2852                 if ((sinfo->filled & STATION_INFO_SIGNAL) &&
2853                     nla_put_u8(msg, NL80211_STA_INFO_SIGNAL,
2854                                sinfo->signal))
2855                         goto nla_put_failure;
2856                 if ((sinfo->filled & STATION_INFO_SIGNAL_AVG) &&
2857                     nla_put_u8(msg, NL80211_STA_INFO_SIGNAL_AVG,
2858                                sinfo->signal_avg))
2859                         goto nla_put_failure;
2860                 break;
2861         default:
2862                 break;
2863         }
2864         if (sinfo->filled & STATION_INFO_TX_BITRATE) {
2865                 if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
2866                                           NL80211_STA_INFO_TX_BITRATE))
2867                         goto nla_put_failure;
2868         }
2869         if (sinfo->filled & STATION_INFO_RX_BITRATE) {
2870                 if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
2871                                           NL80211_STA_INFO_RX_BITRATE))
2872                         goto nla_put_failure;
2873         }
2874         if ((sinfo->filled & STATION_INFO_RX_PACKETS) &&
2875             nla_put_u32(msg, NL80211_STA_INFO_RX_PACKETS,
2876                         sinfo->rx_packets))
2877                 goto nla_put_failure;
2878         if ((sinfo->filled & STATION_INFO_TX_PACKETS) &&
2879             nla_put_u32(msg, NL80211_STA_INFO_TX_PACKETS,
2880                         sinfo->tx_packets))
2881                 goto nla_put_failure;
2882         if ((sinfo->filled & STATION_INFO_TX_RETRIES) &&
2883             nla_put_u32(msg, NL80211_STA_INFO_TX_RETRIES,
2884                         sinfo->tx_retries))
2885                 goto nla_put_failure;
2886         if ((sinfo->filled & STATION_INFO_TX_FAILED) &&
2887             nla_put_u32(msg, NL80211_STA_INFO_TX_FAILED,
2888                         sinfo->tx_failed))
2889                 goto nla_put_failure;
2890         if ((sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT) &&
2891             nla_put_u32(msg, NL80211_STA_INFO_BEACON_LOSS,
2892                         sinfo->beacon_loss_count))
2893                 goto nla_put_failure;
2894         if (sinfo->filled & STATION_INFO_BSS_PARAM) {
2895                 bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
2896                 if (!bss_param)
2897                         goto nla_put_failure;
2898
2899                 if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
2900                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
2901                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
2902                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
2903                     ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
2904                      nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
2905                     nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
2906                                sinfo->bss_param.dtim_period) ||
2907                     nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
2908                                 sinfo->bss_param.beacon_interval))
2909                         goto nla_put_failure;
2910
2911                 nla_nest_end(msg, bss_param);
2912         }
2913         if ((sinfo->filled & STATION_INFO_STA_FLAGS) &&
2914             nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
2915                     sizeof(struct nl80211_sta_flag_update),
2916                     &sinfo->sta_flags))
2917                 goto nla_put_failure;
2918         if ((sinfo->filled & STATION_INFO_T_OFFSET) &&
2919                 nla_put_u64(msg, NL80211_STA_INFO_T_OFFSET,
2920                             sinfo->t_offset))
2921                 goto nla_put_failure;
2922         nla_nest_end(msg, sinfoattr);
2923
2924         if ((sinfo->filled & STATION_INFO_ASSOC_REQ_IES) &&
2925             nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
2926                     sinfo->assoc_req_ies))
2927                 goto nla_put_failure;
2928
2929         return genlmsg_end(msg, hdr);
2930
2931  nla_put_failure:
2932         genlmsg_cancel(msg, hdr);
2933         return -EMSGSIZE;
2934 }
2935
2936 static int nl80211_dump_station(struct sk_buff *skb,
2937                                 struct netlink_callback *cb)
2938 {
2939         struct station_info sinfo;
2940         struct cfg80211_registered_device *dev;
2941         struct net_device *netdev;
2942         u8 mac_addr[ETH_ALEN];
2943         int sta_idx = cb->args[1];
2944         int err;
2945
2946         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
2947         if (err)
2948                 return err;
2949
2950         if (!dev->ops->dump_station) {
2951                 err = -EOPNOTSUPP;
2952                 goto out_err;
2953         }
2954
2955         while (1) {
2956                 memset(&sinfo, 0, sizeof(sinfo));
2957                 err = rdev_dump_station(dev, netdev, sta_idx,
2958                                         mac_addr, &sinfo);
2959                 if (err == -ENOENT)
2960                         break;
2961                 if (err)
2962                         goto out_err;
2963
2964                 if (nl80211_send_station(skb,
2965                                 NETLINK_CB(cb->skb).portid,
2966                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
2967                                 dev, netdev, mac_addr,
2968                                 &sinfo) < 0)
2969                         goto out;
2970
2971                 sta_idx++;
2972         }
2973
2974
2975  out:
2976         cb->args[1] = sta_idx;
2977         err = skb->len;
2978  out_err:
2979         nl80211_finish_netdev_dump(dev);
2980
2981         return err;
2982 }
2983
2984 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
2985 {
2986         struct cfg80211_registered_device *rdev = info->user_ptr[0];
2987         struct net_device *dev = info->user_ptr[1];
2988         struct station_info sinfo;
2989         struct sk_buff *msg;
2990         u8 *mac_addr = NULL;
2991         int err;
2992
2993         memset(&sinfo, 0, sizeof(sinfo));
2994
2995         if (!info->attrs[NL80211_ATTR_MAC])
2996                 return -EINVAL;
2997
2998         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
2999
3000         if (!rdev->ops->get_station)
3001                 return -EOPNOTSUPP;
3002
3003         err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
3004         if (err)
3005                 return err;
3006
3007         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3008         if (!msg)
3009                 return -ENOMEM;
3010
3011         if (nl80211_send_station(msg, info->snd_portid, info->snd_seq, 0,
3012                                  rdev, dev, mac_addr, &sinfo) < 0) {
3013                 nlmsg_free(msg);
3014                 return -ENOBUFS;
3015         }
3016
3017         return genlmsg_reply(msg, info);
3018 }
3019
3020 /*
3021  * Get vlan interface making sure it is running and on the right wiphy.
3022  */
3023 static struct net_device *get_vlan(struct genl_info *info,
3024                                    struct cfg80211_registered_device *rdev)
3025 {
3026         struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
3027         struct net_device *v;
3028         int ret;
3029
3030         if (!vlanattr)
3031                 return NULL;
3032
3033         v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
3034         if (!v)
3035                 return ERR_PTR(-ENODEV);
3036
3037         if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
3038                 ret = -EINVAL;
3039                 goto error;
3040         }
3041
3042         if (!netif_running(v)) {
3043                 ret = -ENETDOWN;
3044                 goto error;
3045         }
3046
3047         return v;
3048  error:
3049         dev_put(v);
3050         return ERR_PTR(ret);
3051 }
3052
3053 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
3054 {
3055         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3056         int err;
3057         struct net_device *dev = info->user_ptr[1];
3058         struct station_parameters params;
3059         u8 *mac_addr = NULL;
3060
3061         memset(&params, 0, sizeof(params));
3062
3063         params.listen_interval = -1;
3064         params.plink_state = -1;
3065
3066         if (info->attrs[NL80211_ATTR_STA_AID])
3067                 return -EINVAL;
3068
3069         if (!info->attrs[NL80211_ATTR_MAC])
3070                 return -EINVAL;
3071
3072         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3073
3074         if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
3075                 params.supported_rates =
3076                         nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3077                 params.supported_rates_len =
3078                         nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3079         }
3080
3081         if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3082                 params.listen_interval =
3083                     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3084
3085         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3086                 params.ht_capa =
3087                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3088
3089         if (!rdev->ops->change_station)
3090                 return -EOPNOTSUPP;
3091
3092         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3093                 return -EINVAL;
3094
3095         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3096                 params.plink_action =
3097                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3098
3099         if (info->attrs[NL80211_ATTR_STA_PLINK_STATE])
3100                 params.plink_state =
3101                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
3102
3103         switch (dev->ieee80211_ptr->iftype) {
3104         case NL80211_IFTYPE_AP:
3105         case NL80211_IFTYPE_AP_VLAN:
3106         case NL80211_IFTYPE_P2P_GO:
3107                 /* disallow mesh-specific things */
3108                 if (params.plink_action)
3109                         return -EINVAL;
3110
3111                 /* TDLS can't be set, ... */
3112                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3113                         return -EINVAL;
3114                 /*
3115                  * ... but don't bother the driver with it. This works around
3116                  * a hostapd/wpa_supplicant issue -- it always includes the
3117                  * TLDS_PEER flag in the mask even for AP mode.
3118                  */
3119                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3120
3121                 /* accept only the listed bits */
3122                 if (params.sta_flags_mask &
3123                                 ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
3124                                   BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
3125                                   BIT(NL80211_STA_FLAG_WME) |
3126                                   BIT(NL80211_STA_FLAG_MFP)))
3127                         return -EINVAL;
3128
3129                 /* must be last in here for error handling */
3130                 params.vlan = get_vlan(info, rdev);
3131                 if (IS_ERR(params.vlan))
3132                         return PTR_ERR(params.vlan);
3133                 break;
3134         case NL80211_IFTYPE_P2P_CLIENT:
3135         case NL80211_IFTYPE_STATION:
3136                 /*
3137                  * Don't allow userspace to change the TDLS_PEER flag,
3138                  * but silently ignore attempts to change it since we
3139                  * don't have state here to verify that it doesn't try
3140                  * to change the flag.
3141                  */
3142                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3143                 /* fall through */
3144         case NL80211_IFTYPE_ADHOC:
3145                 /* disallow things sta doesn't support */
3146                 if (params.plink_action)
3147                         return -EINVAL;
3148                 if (params.ht_capa)
3149                         return -EINVAL;
3150                 if (params.listen_interval >= 0)
3151                         return -EINVAL;
3152                 /* reject any changes other than AUTHORIZED */
3153                 if (params.sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
3154                         return -EINVAL;
3155                 break;
3156         case NL80211_IFTYPE_MESH_POINT:
3157                 /* disallow things mesh doesn't support */
3158                 if (params.vlan)
3159                         return -EINVAL;
3160                 if (params.ht_capa)
3161                         return -EINVAL;
3162                 if (params.listen_interval >= 0)
3163                         return -EINVAL;
3164                 /*
3165                  * No special handling for TDLS here -- the userspace
3166                  * mesh code doesn't have this bug.
3167                  */
3168                 if (params.sta_flags_mask &
3169                                 ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
3170                                   BIT(NL80211_STA_FLAG_MFP) |
3171                                   BIT(NL80211_STA_FLAG_AUTHORIZED)))
3172                         return -EINVAL;
3173                 break;
3174         default:
3175                 return -EOPNOTSUPP;
3176         }
3177
3178         /* be aware of params.vlan when changing code here */
3179
3180         err = rdev_change_station(rdev, dev, mac_addr, &params);
3181
3182         if (params.vlan)
3183                 dev_put(params.vlan);
3184
3185         return err;
3186 }
3187
3188 static struct nla_policy
3189 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] __read_mostly = {
3190         [NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
3191         [NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
3192 };
3193
3194 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
3195 {
3196         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3197         int err;
3198         struct net_device *dev = info->user_ptr[1];
3199         struct station_parameters params;
3200         u8 *mac_addr = NULL;
3201
3202         memset(&params, 0, sizeof(params));
3203
3204         if (!info->attrs[NL80211_ATTR_MAC])
3205                 return -EINVAL;
3206
3207         if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
3208                 return -EINVAL;
3209
3210         if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
3211                 return -EINVAL;
3212
3213         if (!info->attrs[NL80211_ATTR_STA_AID])
3214                 return -EINVAL;
3215
3216         mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3217         params.supported_rates =
3218                 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3219         params.supported_rates_len =
3220                 nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
3221         params.listen_interval =
3222                 nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
3223
3224         params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
3225         if (!params.aid || params.aid > IEEE80211_MAX_AID)
3226                 return -EINVAL;
3227
3228         if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
3229                 params.ht_capa =
3230                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
3231
3232         if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
3233                 params.vht_capa =
3234                         nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
3235
3236         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
3237                 params.plink_action =
3238                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
3239
3240         if (!rdev->ops->add_station)
3241                 return -EOPNOTSUPP;
3242
3243         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
3244                 return -EINVAL;
3245
3246         switch (dev->ieee80211_ptr->iftype) {
3247         case NL80211_IFTYPE_AP:
3248         case NL80211_IFTYPE_AP_VLAN:
3249         case NL80211_IFTYPE_P2P_GO:
3250                 /* parse WME attributes if sta is WME capable */
3251                 if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
3252                     (params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)) &&
3253                     info->attrs[NL80211_ATTR_STA_WME]) {
3254                         struct nlattr *tb[NL80211_STA_WME_MAX + 1];
3255                         struct nlattr *nla;
3256
3257                         nla = info->attrs[NL80211_ATTR_STA_WME];
3258                         err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
3259                                                nl80211_sta_wme_policy);
3260                         if (err)
3261                                 return err;
3262
3263                         if (tb[NL80211_STA_WME_UAPSD_QUEUES])
3264                                 params.uapsd_queues =
3265                                      nla_get_u8(tb[NL80211_STA_WME_UAPSD_QUEUES]);
3266                         if (params.uapsd_queues &
3267                                         ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
3268                                 return -EINVAL;
3269
3270                         if (tb[NL80211_STA_WME_MAX_SP])
3271                                 params.max_sp =
3272                                      nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
3273
3274                         if (params.max_sp &
3275                                         ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
3276                                 return -EINVAL;
3277
3278                         params.sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
3279                 }
3280                 /* TDLS peers cannot be added */
3281                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3282                         return -EINVAL;
3283                 /* but don't bother the driver with it */
3284                 params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
3285
3286                 /* must be last in here for error handling */
3287                 params.vlan = get_vlan(info, rdev);
3288                 if (IS_ERR(params.vlan))
3289                         return PTR_ERR(params.vlan);
3290                 break;
3291         case NL80211_IFTYPE_MESH_POINT:
3292                 /* TDLS peers cannot be added */
3293                 if (params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
3294                         return -EINVAL;
3295                 break;
3296         case NL80211_IFTYPE_STATION:
3297                 /* Only TDLS peers can be added */
3298                 if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
3299                         return -EINVAL;
3300                 /* Can only add if TDLS ... */
3301                 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
3302                         return -EOPNOTSUPP;
3303                 /* ... with external setup is supported */
3304                 if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
3305                         return -EOPNOTSUPP;
3306                 break;
3307         default:
3308                 return -EOPNOTSUPP;
3309         }
3310
3311         /* be aware of params.vlan when changing code here */
3312
3313         err = rdev_add_station(rdev, dev, mac_addr, &params);
3314
3315         if (params.vlan)
3316                 dev_put(params.vlan);
3317         return err;
3318 }
3319
3320 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
3321 {
3322         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3323         struct net_device *dev = info->user_ptr[1];
3324         u8 *mac_addr = NULL;
3325
3326         if (info->attrs[NL80211_ATTR_MAC])
3327                 mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3328
3329         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3330             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
3331             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
3332             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3333                 return -EINVAL;
3334
3335         if (!rdev->ops->del_station)
3336                 return -EOPNOTSUPP;
3337
3338         return rdev_del_station(rdev, dev, mac_addr);
3339 }
3340
3341 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
3342                                 int flags, struct net_device *dev,
3343                                 u8 *dst, u8 *next_hop,
3344                                 struct mpath_info *pinfo)
3345 {
3346         void *hdr;
3347         struct nlattr *pinfoattr;
3348
3349         hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
3350         if (!hdr)
3351                 return -1;
3352
3353         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3354             nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
3355             nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
3356             nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
3357                 goto nla_put_failure;
3358
3359         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
3360         if (!pinfoattr)
3361                 goto nla_put_failure;
3362         if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
3363             nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
3364                         pinfo->frame_qlen))
3365                 goto nla_put_failure;
3366         if (((pinfo->filled & MPATH_INFO_SN) &&
3367              nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
3368             ((pinfo->filled & MPATH_INFO_METRIC) &&
3369              nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
3370                          pinfo->metric)) ||
3371             ((pinfo->filled & MPATH_INFO_EXPTIME) &&
3372              nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
3373                          pinfo->exptime)) ||
3374             ((pinfo->filled & MPATH_INFO_FLAGS) &&
3375              nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
3376                         pinfo->flags)) ||
3377             ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
3378              nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
3379                          pinfo->discovery_timeout)) ||
3380             ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
3381              nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
3382                         pinfo->discovery_retries)))
3383                 goto nla_put_failure;
3384
3385         nla_nest_end(msg, pinfoattr);
3386
3387         return genlmsg_end(msg, hdr);
3388
3389  nla_put_failure:
3390         genlmsg_cancel(msg, hdr);
3391         return -EMSGSIZE;
3392 }
3393
3394 static int nl80211_dump_mpath(struct sk_buff *skb,
3395                               struct netlink_callback *cb)
3396 {
3397         struct mpath_info pinfo;
3398         struct cfg80211_registered_device *dev;
3399         struct net_device *netdev;
3400         u8 dst[ETH_ALEN];
3401         u8 next_hop[ETH_ALEN];
3402         int path_idx = cb->args[1];
3403         int err;
3404
3405         err = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
3406         if (err)
3407                 return err;
3408
3409         if (!dev->ops->dump_mpath) {
3410                 err = -EOPNOTSUPP;
3411                 goto out_err;
3412         }
3413
3414         if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT) {
3415                 err = -EOPNOTSUPP;
3416                 goto out_err;
3417         }
3418
3419         while (1) {
3420                 err = rdev_dump_mpath(dev, netdev, path_idx, dst, next_hop,
3421                                       &pinfo);
3422                 if (err == -ENOENT)
3423                         break;
3424                 if (err)
3425                         goto out_err;
3426
3427                 if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
3428                                        cb->nlh->nlmsg_seq, NLM_F_MULTI,
3429                                        netdev, dst, next_hop,
3430                                        &pinfo) < 0)
3431                         goto out;
3432
3433                 path_idx++;
3434         }
3435
3436
3437  out:
3438         cb->args[1] = path_idx;
3439         err = skb->len;
3440  out_err:
3441         nl80211_finish_netdev_dump(dev);
3442         return err;
3443 }
3444
3445 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
3446 {
3447         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3448         int err;
3449         struct net_device *dev = info->user_ptr[1];
3450         struct mpath_info pinfo;
3451         struct sk_buff *msg;
3452         u8 *dst = NULL;
3453         u8 next_hop[ETH_ALEN];
3454
3455         memset(&pinfo, 0, sizeof(pinfo));
3456
3457         if (!info->attrs[NL80211_ATTR_MAC])
3458                 return -EINVAL;
3459
3460         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3461
3462         if (!rdev->ops->get_mpath)
3463                 return -EOPNOTSUPP;
3464
3465         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3466                 return -EOPNOTSUPP;
3467
3468         err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
3469         if (err)
3470                 return err;
3471
3472         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3473         if (!msg)
3474                 return -ENOMEM;
3475
3476         if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
3477                                  dev, dst, next_hop, &pinfo) < 0) {
3478                 nlmsg_free(msg);
3479                 return -ENOBUFS;
3480         }
3481
3482         return genlmsg_reply(msg, info);
3483 }
3484
3485 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
3486 {
3487         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3488         struct net_device *dev = info->user_ptr[1];
3489         u8 *dst = NULL;
3490         u8 *next_hop = NULL;
3491
3492         if (!info->attrs[NL80211_ATTR_MAC])
3493                 return -EINVAL;
3494
3495         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3496                 return -EINVAL;
3497
3498         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3499         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3500
3501         if (!rdev->ops->change_mpath)
3502                 return -EOPNOTSUPP;
3503
3504         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3505                 return -EOPNOTSUPP;
3506
3507         return rdev_change_mpath(rdev, dev, dst, next_hop);
3508 }
3509
3510 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
3511 {
3512         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3513         struct net_device *dev = info->user_ptr[1];
3514         u8 *dst = NULL;
3515         u8 *next_hop = NULL;
3516
3517         if (!info->attrs[NL80211_ATTR_MAC])
3518                 return -EINVAL;
3519
3520         if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
3521                 return -EINVAL;
3522
3523         dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3524         next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
3525
3526         if (!rdev->ops->add_mpath)
3527                 return -EOPNOTSUPP;
3528
3529         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
3530                 return -EOPNOTSUPP;
3531
3532         return rdev_add_mpath(rdev, dev, dst, next_hop);
3533 }
3534
3535 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
3536 {
3537         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3538         struct net_device *dev = info->user_ptr[1];
3539         u8 *dst = NULL;
3540
3541         if (info->attrs[NL80211_ATTR_MAC])
3542                 dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
3543
3544         if (!rdev->ops->del_mpath)
3545                 return -EOPNOTSUPP;
3546
3547         return rdev_del_mpath(rdev, dev, dst);
3548 }
3549
3550 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
3551 {
3552         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3553         struct net_device *dev = info->user_ptr[1];
3554         struct bss_parameters params;
3555
3556         memset(&params, 0, sizeof(params));
3557         /* default to not changing parameters */
3558         params.use_cts_prot = -1;
3559         params.use_short_preamble = -1;
3560         params.use_short_slot_time = -1;
3561         params.ap_isolate = -1;
3562         params.ht_opmode = -1;
3563
3564         if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
3565                 params.use_cts_prot =
3566                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
3567         if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
3568                 params.use_short_preamble =
3569                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
3570         if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
3571                 params.use_short_slot_time =
3572                     nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
3573         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
3574                 params.basic_rates =
3575                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3576                 params.basic_rates_len =
3577                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
3578         }
3579         if (info->attrs[NL80211_ATTR_AP_ISOLATE])
3580                 params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
3581         if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
3582                 params.ht_opmode =
3583                         nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
3584
3585         if (!rdev->ops->change_bss)
3586                 return -EOPNOTSUPP;
3587
3588         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3589             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3590                 return -EOPNOTSUPP;
3591
3592         return rdev_change_bss(rdev, dev, &params);
3593 }
3594
3595 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
3596         [NL80211_ATTR_REG_RULE_FLAGS]           = { .type = NLA_U32 },
3597         [NL80211_ATTR_FREQ_RANGE_START]         = { .type = NLA_U32 },
3598         [NL80211_ATTR_FREQ_RANGE_END]           = { .type = NLA_U32 },
3599         [NL80211_ATTR_FREQ_RANGE_MAX_BW]        = { .type = NLA_U32 },
3600         [NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]  = { .type = NLA_U32 },
3601         [NL80211_ATTR_POWER_RULE_MAX_EIRP]      = { .type = NLA_U32 },
3602 };
3603
3604 static int parse_reg_rule(struct nlattr *tb[],
3605         struct ieee80211_reg_rule *reg_rule)
3606 {
3607         struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
3608         struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
3609
3610         if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
3611                 return -EINVAL;
3612         if (!tb[NL80211_ATTR_FREQ_RANGE_START])
3613                 return -EINVAL;
3614         if (!tb[NL80211_ATTR_FREQ_RANGE_END])
3615                 return -EINVAL;
3616         if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
3617                 return -EINVAL;
3618         if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
3619                 return -EINVAL;
3620
3621         reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
3622
3623         freq_range->start_freq_khz =
3624                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
3625         freq_range->end_freq_khz =
3626                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
3627         freq_range->max_bandwidth_khz =
3628                 nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
3629
3630         power_rule->max_eirp =
3631                 nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
3632
3633         if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
3634                 power_rule->max_antenna_gain =
3635                         nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
3636
3637         return 0;
3638 }
3639
3640 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
3641 {
3642         int r;
3643         char *data = NULL;
3644         enum nl80211_user_reg_hint_type user_reg_hint_type;
3645
3646         /*
3647          * You should only get this when cfg80211 hasn't yet initialized
3648          * completely when built-in to the kernel right between the time
3649          * window between nl80211_init() and regulatory_init(), if that is
3650          * even possible.
3651          */
3652         mutex_lock(&cfg80211_mutex);
3653         if (unlikely(!cfg80211_regdomain)) {
3654                 mutex_unlock(&cfg80211_mutex);
3655                 return -EINPROGRESS;
3656         }
3657         mutex_unlock(&cfg80211_mutex);
3658
3659         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
3660                 return -EINVAL;
3661
3662         data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
3663
3664         if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
3665                 user_reg_hint_type =
3666                   nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
3667         else
3668                 user_reg_hint_type = NL80211_USER_REG_HINT_USER;
3669
3670         switch (user_reg_hint_type) {
3671         case NL80211_USER_REG_HINT_USER:
3672         case NL80211_USER_REG_HINT_CELL_BASE:
3673                 break;
3674         default:
3675                 return -EINVAL;
3676         }
3677
3678         r = regulatory_hint_user(data, user_reg_hint_type);
3679
3680         return r;
3681 }
3682
3683 static int nl80211_get_mesh_config(struct sk_buff *skb,
3684                                    struct genl_info *info)
3685 {
3686         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3687         struct net_device *dev = info->user_ptr[1];
3688         struct wireless_dev *wdev = dev->ieee80211_ptr;
3689         struct mesh_config cur_params;
3690         int err = 0;
3691         void *hdr;
3692         struct nlattr *pinfoattr;
3693         struct sk_buff *msg;
3694
3695         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
3696                 return -EOPNOTSUPP;
3697
3698         if (!rdev->ops->get_mesh_config)
3699                 return -EOPNOTSUPP;
3700
3701         wdev_lock(wdev);
3702         /* If not connected, get default parameters */
3703         if (!wdev->mesh_id_len)
3704                 memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
3705         else
3706                 err = rdev_get_mesh_config(rdev, dev, &cur_params);
3707         wdev_unlock(wdev);
3708
3709         if (err)
3710                 return err;
3711
3712         /* Draw up a netlink message to send back */
3713         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3714         if (!msg)
3715                 return -ENOMEM;
3716         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3717                              NL80211_CMD_GET_MESH_CONFIG);
3718         if (!hdr)
3719                 goto out;
3720         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
3721         if (!pinfoattr)
3722                 goto nla_put_failure;
3723         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3724             nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
3725                         cur_params.dot11MeshRetryTimeout) ||
3726             nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
3727                         cur_params.dot11MeshConfirmTimeout) ||
3728             nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
3729                         cur_params.dot11MeshHoldingTimeout) ||
3730             nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
3731                         cur_params.dot11MeshMaxPeerLinks) ||
3732             nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
3733                        cur_params.dot11MeshMaxRetries) ||
3734             nla_put_u8(msg, NL80211_MESHCONF_TTL,
3735                        cur_params.dot11MeshTTL) ||
3736             nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
3737                        cur_params.element_ttl) ||
3738             nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
3739                        cur_params.auto_open_plinks) ||
3740             nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
3741                         cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
3742             nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
3743                        cur_params.dot11MeshHWMPmaxPREQretries) ||
3744             nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
3745                         cur_params.path_refresh_time) ||
3746             nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
3747                         cur_params.min_discovery_timeout) ||
3748             nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
3749                         cur_params.dot11MeshHWMPactivePathTimeout) ||
3750             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
3751                         cur_params.dot11MeshHWMPpreqMinInterval) ||
3752             nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
3753                         cur_params.dot11MeshHWMPperrMinInterval) ||
3754             nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
3755                         cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
3756             nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
3757                        cur_params.dot11MeshHWMPRootMode) ||
3758             nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
3759                         cur_params.dot11MeshHWMPRannInterval) ||
3760             nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
3761                        cur_params.dot11MeshGateAnnouncementProtocol) ||
3762             nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
3763                        cur_params.dot11MeshForwarding) ||
3764             nla_put_u32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
3765                         cur_params.rssi_threshold) ||
3766             nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
3767                         cur_params.ht_opmode) ||
3768             nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
3769                         cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
3770             nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
3771                         cur_params.dot11MeshHWMProotInterval) ||
3772             nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
3773                         cur_params.dot11MeshHWMPconfirmationInterval))
3774                 goto nla_put_failure;
3775         nla_nest_end(msg, pinfoattr);
3776         genlmsg_end(msg, hdr);
3777         return genlmsg_reply(msg, info);
3778
3779  nla_put_failure:
3780         genlmsg_cancel(msg, hdr);
3781  out:
3782         nlmsg_free(msg);
3783         return -ENOBUFS;
3784 }
3785
3786 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
3787         [NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
3788         [NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
3789         [NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
3790         [NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
3791         [NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
3792         [NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
3793         [NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
3794         [NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
3795         [NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
3796         [NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
3797         [NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
3798         [NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
3799         [NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
3800         [NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
3801         [NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
3802         [NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
3803         [NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
3804         [NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
3805         [NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
3806         [NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
3807         [NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
3808         [NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
3809         [NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
3810         [NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
3811         [NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
3812 };
3813
3814 static const struct nla_policy
3815         nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
3816         [NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
3817         [NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
3818         [NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
3819         [NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
3820         [NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
3821                                     .len = IEEE80211_MAX_DATA_LEN },
3822         [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
3823 };
3824
3825 static int nl80211_parse_mesh_config(struct genl_info *info,
3826                                      struct mesh_config *cfg,
3827                                      u32 *mask_out)
3828 {
3829         struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
3830         u32 mask = 0;
3831
3832 #define FILL_IN_MESH_PARAM_IF_SET(table, cfg, param, mask, attr_num, nla_fn) \
3833 do {\
3834         if (table[attr_num]) {\
3835                 cfg->param = nla_fn(table[attr_num]); \
3836                 mask |= (1 << (attr_num - 1)); \
3837         } \
3838 } while (0);\
3839
3840
3841         if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
3842                 return -EINVAL;
3843         if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
3844                              info->attrs[NL80211_ATTR_MESH_CONFIG],
3845                              nl80211_meshconf_params_policy))
3846                 return -EINVAL;
3847
3848         /* This makes sure that there aren't more than 32 mesh config
3849          * parameters (otherwise our bitfield scheme would not work.) */
3850         BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
3851
3852         /* Fill in the params struct */
3853         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout,
3854                                   mask, NL80211_MESHCONF_RETRY_TIMEOUT,
3855                                   nla_get_u16);
3856         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout,
3857                                   mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
3858                                   nla_get_u16);
3859         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout,
3860                                   mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
3861                                   nla_get_u16);
3862         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks,
3863                                   mask, NL80211_MESHCONF_MAX_PEER_LINKS,
3864                                   nla_get_u16);
3865         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries,
3866                                   mask, NL80211_MESHCONF_MAX_RETRIES,
3867                                   nla_get_u8);
3868         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL,
3869                                   mask, NL80211_MESHCONF_TTL, nla_get_u8);
3870         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl,
3871                                   mask, NL80211_MESHCONF_ELEMENT_TTL,
3872                                   nla_get_u8);
3873         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks,
3874                                   mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
3875                                   nla_get_u8);
3876         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor, mask,
3877                                   NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
3878                                   nla_get_u32);
3879         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries,
3880                                   mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
3881                                   nla_get_u8);
3882         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time,
3883                                   mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
3884                                   nla_get_u32);
3885         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout,
3886                                   mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
3887                                   nla_get_u16);
3888         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout, mask,
3889                                   NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
3890                                   nla_get_u32);
3891         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
3892                                   mask, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
3893                                   nla_get_u16);
3894         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
3895                                   mask, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
3896                                   nla_get_u16);
3897         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3898                                   dot11MeshHWMPnetDiameterTraversalTime, mask,
3899                                   NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
3900                                   nla_get_u16);
3901         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
3902                                   NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
3903         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
3904                                   NL80211_MESHCONF_HWMP_RANN_INTERVAL,
3905                                   nla_get_u16);
3906         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3907                                   dot11MeshGateAnnouncementProtocol, mask,
3908                                   NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
3909                                   nla_get_u8);
3910         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding,
3911                                   mask, NL80211_MESHCONF_FORWARDING,
3912                                   nla_get_u8);
3913         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold,
3914                                   mask, NL80211_MESHCONF_RSSI_THRESHOLD,
3915                                   nla_get_u32);
3916         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode,
3917                                   mask, NL80211_MESHCONF_HT_OPMODE,
3918                                   nla_get_u16);
3919         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
3920                                   mask,
3921                                   NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
3922                                   nla_get_u32);
3923         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval,
3924                                   mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
3925                                   nla_get_u16);
3926         FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
3927                                   dot11MeshHWMPconfirmationInterval, mask,
3928                                   NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
3929                                   nla_get_u16);
3930         if (mask_out)
3931                 *mask_out = mask;
3932
3933         return 0;
3934
3935 #undef FILL_IN_MESH_PARAM_IF_SET
3936 }
3937
3938 static int nl80211_parse_mesh_setup(struct genl_info *info,
3939                                      struct mesh_setup *setup)
3940 {
3941         struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
3942
3943         if (!info->attrs[NL80211_ATTR_MESH_SETUP])
3944                 return -EINVAL;
3945         if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
3946                              info->attrs[NL80211_ATTR_MESH_SETUP],
3947                              nl80211_mesh_setup_params_policy))
3948                 return -EINVAL;
3949
3950         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
3951                 setup->sync_method =
3952                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
3953                  IEEE80211_SYNC_METHOD_VENDOR :
3954                  IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
3955
3956         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
3957                 setup->path_sel_proto =
3958                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
3959                  IEEE80211_PATH_PROTOCOL_VENDOR :
3960                  IEEE80211_PATH_PROTOCOL_HWMP;
3961
3962         if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
3963                 setup->path_metric =
3964                 (nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
3965                  IEEE80211_PATH_METRIC_VENDOR :
3966                  IEEE80211_PATH_METRIC_AIRTIME;
3967
3968
3969         if (tb[NL80211_MESH_SETUP_IE]) {
3970                 struct nlattr *ieattr =
3971                         tb[NL80211_MESH_SETUP_IE];
3972                 if (!is_valid_ie_attr(ieattr))
3973                         return -EINVAL;
3974                 setup->ie = nla_data(ieattr);
3975                 setup->ie_len = nla_len(ieattr);
3976         }
3977         setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
3978         setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
3979
3980         return 0;
3981 }
3982
3983 static int nl80211_update_mesh_config(struct sk_buff *skb,
3984                                       struct genl_info *info)
3985 {
3986         struct cfg80211_registered_device *rdev = info->user_ptr[0];
3987         struct net_device *dev = info->user_ptr[1];
3988         struct wireless_dev *wdev = dev->ieee80211_ptr;
3989         struct mesh_config cfg;
3990         u32 mask;
3991         int err;
3992
3993         if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
3994                 return -EOPNOTSUPP;
3995
3996         if (!rdev->ops->update_mesh_config)
3997                 return -EOPNOTSUPP;
3998
3999         err = nl80211_parse_mesh_config(info, &cfg, &mask);
4000         if (err)
4001                 return err;
4002
4003         wdev_lock(wdev);
4004         if (!wdev->mesh_id_len)
4005                 err = -ENOLINK;
4006
4007         if (!err)
4008                 err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
4009
4010         wdev_unlock(wdev);
4011
4012         return err;
4013 }
4014
4015 static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
4016 {
4017         struct sk_buff *msg;
4018         void *hdr = NULL;
4019         struct nlattr *nl_reg_rules;
4020         unsigned int i;
4021         int err = -EINVAL;
4022
4023         mutex_lock(&cfg80211_mutex);
4024
4025         if (!cfg80211_regdomain)
4026                 goto out;
4027
4028         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4029         if (!msg) {
4030                 err = -ENOBUFS;
4031                 goto out;
4032         }
4033
4034         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4035                              NL80211_CMD_GET_REG);
4036         if (!hdr)
4037                 goto put_failure;
4038
4039         if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
4040                            cfg80211_regdomain->alpha2) ||
4041             (cfg80211_regdomain->dfs_region &&
4042              nla_put_u8(msg, NL80211_ATTR_DFS_REGION,
4043                         cfg80211_regdomain->dfs_region)))
4044                 goto nla_put_failure;
4045
4046         if (reg_last_request_cell_base() &&
4047             nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
4048                         NL80211_USER_REG_HINT_CELL_BASE))
4049                 goto nla_put_failure;
4050
4051         nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
4052         if (!nl_reg_rules)
4053                 goto nla_put_failure;
4054
4055         for (i = 0; i < cfg80211_regdomain->n_reg_rules; i++) {
4056                 struct nlattr *nl_reg_rule;
4057                 const struct ieee80211_reg_rule *reg_rule;
4058                 const struct ieee80211_freq_range *freq_range;
4059                 const struct ieee80211_power_rule *power_rule;
4060
4061                 reg_rule = &cfg80211_regdomain->reg_rules[i];
4062                 freq_range = &reg_rule->freq_range;
4063                 power_rule = &reg_rule->power_rule;
4064
4065                 nl_reg_rule = nla_nest_start(msg, i);
4066                 if (!nl_reg_rule)
4067                         goto nla_put_failure;
4068
4069                 if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
4070                                 reg_rule->flags) ||
4071                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
4072                                 freq_range->start_freq_khz) ||
4073                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
4074                                 freq_range->end_freq_khz) ||
4075                     nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
4076                                 freq_range->max_bandwidth_khz) ||
4077                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
4078                                 power_rule->max_antenna_gain) ||
4079                     nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
4080                                 power_rule->max_eirp))
4081                         goto nla_put_failure;
4082
4083                 nla_nest_end(msg, nl_reg_rule);
4084         }
4085
4086         nla_nest_end(msg, nl_reg_rules);
4087
4088         genlmsg_end(msg, hdr);
4089         err = genlmsg_reply(msg, info);
4090         goto out;
4091
4092 nla_put_failure:
4093         genlmsg_cancel(msg, hdr);
4094 put_failure:
4095         nlmsg_free(msg);
4096         err = -EMSGSIZE;
4097 out:
4098         mutex_unlock(&cfg80211_mutex);
4099         return err;
4100 }
4101
4102 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
4103 {
4104         struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
4105         struct nlattr *nl_reg_rule;
4106         char *alpha2 = NULL;
4107         int rem_reg_rules = 0, r = 0;
4108         u32 num_rules = 0, rule_idx = 0, size_of_regd;
4109         u8 dfs_region = 0;
4110         struct ieee80211_regdomain *rd = NULL;
4111
4112         if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
4113                 return -EINVAL;
4114
4115         if (!info->attrs[NL80211_ATTR_REG_RULES])
4116                 return -EINVAL;
4117
4118         alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
4119
4120         if (info->attrs[NL80211_ATTR_DFS_REGION])
4121                 dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
4122
4123         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4124                         rem_reg_rules) {
4125                 num_rules++;
4126                 if (num_rules > NL80211_MAX_SUPP_REG_RULES)
4127                         return -EINVAL;
4128         }
4129
4130         mutex_lock(&cfg80211_mutex);
4131
4132         if (!reg_is_valid_request(alpha2)) {
4133                 r = -EINVAL;
4134                 goto bad_reg;
4135         }
4136
4137         size_of_regd = sizeof(struct ieee80211_regdomain) +
4138                 (num_rules * sizeof(struct ieee80211_reg_rule));
4139
4140         rd = kzalloc(size_of_regd, GFP_KERNEL);
4141         if (!rd) {
4142                 r = -ENOMEM;
4143                 goto bad_reg;
4144         }
4145
4146         rd->n_reg_rules = num_rules;
4147         rd->alpha2[0] = alpha2[0];
4148         rd->alpha2[1] = alpha2[1];
4149
4150         /*
4151          * Disable DFS master mode if the DFS region was
4152          * not supported or known on this kernel.
4153          */
4154         if (reg_supported_dfs_region(dfs_region))
4155                 rd->dfs_region = dfs_region;
4156
4157         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
4158                         rem_reg_rules) {
4159                 nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
4160                         nla_data(nl_reg_rule), nla_len(nl_reg_rule),
4161                         reg_rule_policy);
4162                 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
4163                 if (r)
4164                         goto bad_reg;
4165
4166                 rule_idx++;
4167
4168                 if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
4169                         r = -EINVAL;
4170                         goto bad_reg;
4171                 }
4172         }
4173
4174         BUG_ON(rule_idx != num_rules);
4175
4176         r = set_regdom(rd);
4177
4178         mutex_unlock(&cfg80211_mutex);
4179
4180         return r;
4181
4182  bad_reg:
4183         mutex_unlock(&cfg80211_mutex);
4184         kfree(rd);
4185         return r;
4186 }
4187
4188 static int validate_scan_freqs(struct nlattr *freqs)
4189 {
4190         struct nlattr *attr1, *attr2;
4191         int n_channels = 0, tmp1, tmp2;
4192
4193         nla_for_each_nested(attr1, freqs, tmp1) {
4194                 n_channels++;
4195                 /*
4196                  * Some hardware has a limited channel list for
4197                  * scanning, and it is pretty much nonsensical
4198                  * to scan for a channel twice, so disallow that
4199                  * and don't require drivers to check that the
4200                  * channel list they get isn't longer than what
4201                  * they can scan, as long as they can scan all
4202                  * the channels they registered at once.
4203                  */
4204                 nla_for_each_nested(attr2, freqs, tmp2)
4205                         if (attr1 != attr2 &&
4206                             nla_get_u32(attr1) == nla_get_u32(attr2))
4207                                 return 0;
4208         }
4209
4210         return n_channels;
4211 }
4212
4213 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
4214 {
4215         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4216         struct wireless_dev *wdev = info->user_ptr[1];
4217         struct cfg80211_scan_request *request;
4218         struct nlattr *attr;
4219         struct wiphy *wiphy;
4220         int err, tmp, n_ssids = 0, n_channels, i;
4221         size_t ie_len;
4222
4223         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4224                 return -EINVAL;
4225
4226         wiphy = &rdev->wiphy;
4227
4228         if (!rdev->ops->scan)
4229                 return -EOPNOTSUPP;
4230
4231         if (rdev->scan_req)
4232                 return -EBUSY;
4233
4234         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4235                 n_channels = validate_scan_freqs(
4236                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4237                 if (!n_channels)
4238                         return -EINVAL;
4239         } else {
4240                 enum ieee80211_band band;
4241                 n_channels = 0;
4242
4243                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4244                         if (wiphy->bands[band])
4245                                 n_channels += wiphy->bands[band]->n_channels;
4246         }
4247
4248         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4249                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
4250                         n_ssids++;
4251
4252         if (n_ssids > wiphy->max_scan_ssids)
4253                 return -EINVAL;
4254
4255         if (info->attrs[NL80211_ATTR_IE])
4256                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4257         else
4258                 ie_len = 0;
4259
4260         if (ie_len > wiphy->max_scan_ie_len)
4261                 return -EINVAL;
4262
4263         request = kzalloc(sizeof(*request)
4264                         + sizeof(*request->ssids) * n_ssids
4265                         + sizeof(*request->channels) * n_channels
4266                         + ie_len, GFP_KERNEL);
4267         if (!request)
4268                 return -ENOMEM;
4269
4270         if (n_ssids)
4271                 request->ssids = (void *)&request->channels[n_channels];
4272         request->n_ssids = n_ssids;
4273         if (ie_len) {
4274                 if (request->ssids)
4275                         request->ie = (void *)(request->ssids + n_ssids);
4276                 else
4277                         request->ie = (void *)(request->channels + n_channels);
4278         }
4279
4280         i = 0;
4281         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4282                 /* user specified, bail out if channel not found */
4283                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
4284                         struct ieee80211_channel *chan;
4285
4286                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4287
4288                         if (!chan) {
4289                                 err = -EINVAL;
4290                                 goto out_free;
4291                         }
4292
4293                         /* ignore disabled channels */
4294                         if (chan->flags & IEEE80211_CHAN_DISABLED)
4295                                 continue;
4296
4297                         request->channels[i] = chan;
4298                         i++;
4299                 }
4300         } else {
4301                 enum ieee80211_band band;
4302
4303                 /* all channels */
4304                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4305                         int j;
4306                         if (!wiphy->bands[band])
4307                                 continue;
4308                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4309                                 struct ieee80211_channel *chan;
4310
4311                                 chan = &wiphy->bands[band]->channels[j];
4312
4313                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
4314                                         continue;
4315
4316                                 request->channels[i] = chan;
4317                                 i++;
4318                         }
4319                 }
4320         }
4321
4322         if (!i) {
4323                 err = -EINVAL;
4324                 goto out_free;
4325         }
4326
4327         request->n_channels = i;
4328
4329         i = 0;
4330         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4331                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
4332                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4333                                 err = -EINVAL;
4334                                 goto out_free;
4335                         }
4336                         request->ssids[i].ssid_len = nla_len(attr);
4337                         memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
4338                         i++;
4339                 }
4340         }
4341
4342         if (info->attrs[NL80211_ATTR_IE]) {
4343                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4344                 memcpy((void *)request->ie,
4345                        nla_data(info->attrs[NL80211_ATTR_IE]),
4346                        request->ie_len);
4347         }
4348
4349         for (i = 0; i < IEEE80211_NUM_BANDS; i++)
4350                 if (wiphy->bands[i])
4351                         request->rates[i] =
4352                                 (1 << wiphy->bands[i]->n_bitrates) - 1;
4353
4354         if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
4355                 nla_for_each_nested(attr,
4356                                     info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
4357                                     tmp) {
4358                         enum ieee80211_band band = nla_type(attr);
4359
4360                         if (band < 0 || band >= IEEE80211_NUM_BANDS) {
4361                                 err = -EINVAL;
4362                                 goto out_free;
4363                         }
4364                         err = ieee80211_get_ratemask(wiphy->bands[band],
4365                                                      nla_data(attr),
4366                                                      nla_len(attr),
4367                                                      &request->rates[band]);
4368                         if (err)
4369                                 goto out_free;
4370                 }
4371         }
4372
4373         if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
4374                 request->flags = nla_get_u32(
4375                         info->attrs[NL80211_ATTR_SCAN_FLAGS]);
4376                 if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
4377                      !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
4378                     ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
4379                      !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
4380                         err = -EOPNOTSUPP;
4381                         goto out_free;
4382                 }
4383         }
4384
4385         request->no_cck =
4386                 nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
4387
4388         request->wdev = wdev;
4389         request->wiphy = &rdev->wiphy;
4390         request->scan_start = jiffies;
4391
4392         rdev->scan_req = request;
4393         err = rdev_scan(rdev, request);
4394
4395         if (!err) {
4396                 nl80211_send_scan_start(rdev, wdev);
4397                 if (wdev->netdev)
4398                         dev_hold(wdev->netdev);
4399         } else {
4400  out_free:
4401                 rdev->scan_req = NULL;
4402                 kfree(request);
4403         }
4404
4405         return err;
4406 }
4407
4408 static int nl80211_start_sched_scan(struct sk_buff *skb,
4409                                     struct genl_info *info)
4410 {
4411         struct cfg80211_sched_scan_request *request;
4412         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4413         struct net_device *dev = info->user_ptr[1];
4414         struct nlattr *attr;
4415         struct wiphy *wiphy;
4416         int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
4417         u32 interval;
4418         enum ieee80211_band band;
4419         size_t ie_len;
4420         struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
4421
4422         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4423             !rdev->ops->sched_scan_start)
4424                 return -EOPNOTSUPP;
4425
4426         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4427                 return -EINVAL;
4428
4429         if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
4430                 return -EINVAL;
4431
4432         interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
4433         if (interval == 0)
4434                 return -EINVAL;
4435
4436         wiphy = &rdev->wiphy;
4437
4438         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4439                 n_channels = validate_scan_freqs(
4440                                 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4441                 if (!n_channels)
4442                         return -EINVAL;
4443         } else {
4444                 n_channels = 0;
4445
4446                 for (band = 0; band < IEEE80211_NUM_BANDS; band++)
4447                         if (wiphy->bands[band])
4448                                 n_channels += wiphy->bands[band]->n_channels;
4449         }
4450
4451         if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
4452                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4453                                     tmp)
4454                         n_ssids++;
4455
4456         if (n_ssids > wiphy->max_sched_scan_ssids)
4457                 return -EINVAL;
4458
4459         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
4460                 nla_for_each_nested(attr,
4461                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4462                                     tmp)
4463                         n_match_sets++;
4464
4465         if (n_match_sets > wiphy->max_match_sets)
4466                 return -EINVAL;
4467
4468         if (info->attrs[NL80211_ATTR_IE])
4469                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4470         else
4471                 ie_len = 0;
4472
4473         if (ie_len > wiphy->max_sched_scan_ie_len)
4474                 return -EINVAL;
4475
4476         mutex_lock(&rdev->sched_scan_mtx);
4477
4478         if (rdev->sched_scan_req) {
4479                 err = -EINPROGRESS;
4480                 goto out;
4481         }
4482
4483         request = kzalloc(sizeof(*request)
4484                         + sizeof(*request->ssids) * n_ssids
4485                         + sizeof(*request->match_sets) * n_match_sets
4486                         + sizeof(*request->channels) * n_channels
4487                         + ie_len, GFP_KERNEL);
4488         if (!request) {
4489                 err = -ENOMEM;
4490                 goto out;
4491         }
4492
4493         if (n_ssids)
4494                 request->ssids = (void *)&request->channels[n_channels];
4495         request->n_ssids = n_ssids;
4496         if (ie_len) {
4497                 if (request->ssids)
4498                         request->ie = (void *)(request->ssids + n_ssids);
4499                 else
4500                         request->ie = (void *)(request->channels + n_channels);
4501         }
4502
4503         if (n_match_sets) {
4504                 if (request->ie)
4505                         request->match_sets = (void *)(request->ie + ie_len);
4506                 else if (request->ssids)
4507                         request->match_sets =
4508                                 (void *)(request->ssids + n_ssids);
4509                 else
4510                         request->match_sets =
4511                                 (void *)(request->channels + n_channels);
4512         }
4513         request->n_match_sets = n_match_sets;
4514
4515         i = 0;
4516         if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4517                 /* user specified, bail out if channel not found */
4518                 nla_for_each_nested(attr,
4519                                     info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
4520                                     tmp) {
4521                         struct ieee80211_channel *chan;
4522
4523                         chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
4524
4525                         if (!chan) {
4526                                 err = -EINVAL;
4527                                 goto out_free;
4528                         }
4529
4530                         /* ignore disabled channels */
4531                         if (chan->flags & IEEE80211_CHAN_DISABLED)
4532                                 continue;
4533
4534                         request->channels[i] = chan;
4535                         i++;
4536                 }
4537         } else {
4538                 /* all channels */
4539                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
4540                         int j;
4541                         if (!wiphy->bands[band])
4542                                 continue;
4543                         for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
4544                                 struct ieee80211_channel *chan;
4545
4546                                 chan = &wiphy->bands[band]->channels[j];
4547
4548                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
4549                                         continue;
4550
4551                                 request->channels[i] = chan;
4552                                 i++;
4553                         }
4554                 }
4555         }
4556
4557         if (!i) {
4558                 err = -EINVAL;
4559                 goto out_free;
4560         }
4561
4562         request->n_channels = i;
4563
4564         i = 0;
4565         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
4566                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
4567                                     tmp) {
4568                         if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
4569                                 err = -EINVAL;
4570                                 goto out_free;
4571                         }
4572                         request->ssids[i].ssid_len = nla_len(attr);
4573                         memcpy(request->ssids[i].ssid, nla_data(attr),
4574                                nla_len(attr));
4575                         i++;
4576                 }
4577         }
4578
4579         i = 0;
4580         if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
4581                 nla_for_each_nested(attr,
4582                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
4583                                     tmp) {
4584                         struct nlattr *ssid, *rssi;
4585
4586                         nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
4587                                   nla_data(attr), nla_len(attr),
4588                                   nl80211_match_policy);
4589                         ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
4590                         if (ssid) {
4591                                 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
4592                                         err = -EINVAL;
4593                                         goto out_free;
4594                                 }
4595                                 memcpy(request->match_sets[i].ssid.ssid,
4596                                        nla_data(ssid), nla_len(ssid));
4597                                 request->match_sets[i].ssid.ssid_len =
4598                                         nla_len(ssid);
4599                         }
4600                         rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
4601                         if (rssi)
4602                                 request->rssi_thold = nla_get_u32(rssi);
4603                         else
4604                                 request->rssi_thold =
4605                                                    NL80211_SCAN_RSSI_THOLD_OFF;
4606                         i++;
4607                 }
4608         }
4609
4610         if (info->attrs[NL80211_ATTR_IE]) {
4611                 request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4612                 memcpy((void *)request->ie,
4613                        nla_data(info->attrs[NL80211_ATTR_IE]),
4614                        request->ie_len);
4615         }
4616
4617         if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
4618                 request->flags = nla_get_u32(
4619                         info->attrs[NL80211_ATTR_SCAN_FLAGS]);
4620                 if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
4621                      !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
4622                     ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
4623                      !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
4624                         err = -EOPNOTSUPP;
4625                         goto out_free;
4626                 }
4627         }
4628
4629         request->dev = dev;
4630         request->wiphy = &rdev->wiphy;
4631         request->interval = interval;
4632         request->scan_start = jiffies;
4633
4634         err = rdev_sched_scan_start(rdev, dev, request);
4635         if (!err) {
4636                 rdev->sched_scan_req = request;
4637                 nl80211_send_sched_scan(rdev, dev,
4638                                         NL80211_CMD_START_SCHED_SCAN);
4639                 goto out;
4640         }
4641
4642 out_free:
4643         kfree(request);
4644 out:
4645         mutex_unlock(&rdev->sched_scan_mtx);
4646         return err;
4647 }
4648
4649 static int nl80211_stop_sched_scan(struct sk_buff *skb,
4650                                    struct genl_info *info)
4651 {
4652         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4653         int err;
4654
4655         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
4656             !rdev->ops->sched_scan_stop)
4657                 return -EOPNOTSUPP;
4658
4659         mutex_lock(&rdev->sched_scan_mtx);
4660         err = __cfg80211_stop_sched_scan(rdev, false);
4661         mutex_unlock(&rdev->sched_scan_mtx);
4662
4663         return err;
4664 }
4665
4666 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
4667                             u32 seq, int flags,
4668                             struct cfg80211_registered_device *rdev,
4669                             struct wireless_dev *wdev,
4670                             struct cfg80211_internal_bss *intbss)
4671 {
4672         struct cfg80211_bss *res = &intbss->pub;
4673         void *hdr;
4674         struct nlattr *bss;
4675
4676         ASSERT_WDEV_LOCK(wdev);
4677
4678         hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
4679                              NL80211_CMD_NEW_SCAN_RESULTS);
4680         if (!hdr)
4681                 return -1;
4682
4683         genl_dump_check_consistent(cb, hdr, &nl80211_fam);
4684
4685         if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation) ||
4686             nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
4687                 goto nla_put_failure;
4688
4689         bss = nla_nest_start(msg, NL80211_ATTR_BSS);
4690         if (!bss)
4691                 goto nla_put_failure;
4692         if ((!is_zero_ether_addr(res->bssid) &&
4693              nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)) ||
4694             (res->information_elements && res->len_information_elements &&
4695              nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
4696                      res->len_information_elements,
4697                      res->information_elements)) ||
4698             (res->beacon_ies && res->len_beacon_ies &&
4699              res->beacon_ies != res->information_elements &&
4700              nla_put(msg, NL80211_BSS_BEACON_IES,
4701                      res->len_beacon_ies, res->beacon_ies)))
4702                 goto nla_put_failure;
4703         if (res->tsf &&
4704             nla_put_u64(msg, NL80211_BSS_TSF, res->tsf))
4705                 goto nla_put_failure;
4706         if (res->beacon_interval &&
4707             nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
4708                 goto nla_put_failure;
4709         if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
4710             nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
4711             nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
4712                         jiffies_to_msecs(jiffies - intbss->ts)))
4713                 goto nla_put_failure;
4714
4715         switch (rdev->wiphy.signal_type) {
4716         case CFG80211_SIGNAL_TYPE_MBM:
4717                 if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
4718                         goto nla_put_failure;
4719                 break;
4720         case CFG80211_SIGNAL_TYPE_UNSPEC:
4721                 if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
4722                         goto nla_put_failure;
4723                 break;
4724         default:
4725                 break;
4726         }
4727
4728         switch (wdev->iftype) {
4729         case NL80211_IFTYPE_P2P_CLIENT:
4730         case NL80211_IFTYPE_STATION:
4731                 if (intbss == wdev->current_bss &&
4732                     nla_put_u32(msg, NL80211_BSS_STATUS,
4733                                 NL80211_BSS_STATUS_ASSOCIATED))
4734                         goto nla_put_failure;
4735                 break;
4736         case NL80211_IFTYPE_ADHOC:
4737                 if (intbss == wdev->current_bss &&
4738                     nla_put_u32(msg, NL80211_BSS_STATUS,
4739                                 NL80211_BSS_STATUS_IBSS_JOINED))
4740                         goto nla_put_failure;
4741                 break;
4742         default:
4743                 break;
4744         }
4745
4746         nla_nest_end(msg, bss);
4747
4748         return genlmsg_end(msg, hdr);
4749
4750  nla_put_failure:
4751         genlmsg_cancel(msg, hdr);
4752         return -EMSGSIZE;
4753 }
4754
4755 static int nl80211_dump_scan(struct sk_buff *skb,
4756                              struct netlink_callback *cb)
4757 {
4758         struct cfg80211_registered_device *rdev;
4759         struct net_device *dev;
4760         struct cfg80211_internal_bss *scan;
4761         struct wireless_dev *wdev;
4762         int start = cb->args[1], idx = 0;
4763         int err;
4764
4765         err = nl80211_prepare_netdev_dump(skb, cb, &rdev, &dev);
4766         if (err)
4767                 return err;
4768
4769         wdev = dev->ieee80211_ptr;
4770
4771         wdev_lock(wdev);
4772         spin_lock_bh(&rdev->bss_lock);
4773         cfg80211_bss_expire(rdev);
4774
4775         cb->seq = rdev->bss_generation;
4776
4777         list_for_each_entry(scan, &rdev->bss_list, list) {
4778                 if (++idx <= start)
4779                         continue;
4780                 if (nl80211_send_bss(skb, cb,
4781                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4782                                 rdev, wdev, scan) < 0) {
4783                         idx--;
4784                         break;
4785                 }
4786         }
4787
4788         spin_unlock_bh(&rdev->bss_lock);
4789         wdev_unlock(wdev);
4790
4791         cb->args[1] = idx;
4792         nl80211_finish_netdev_dump(rdev);
4793
4794         return skb->len;
4795 }
4796
4797 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
4798                                 int flags, struct net_device *dev,
4799                                 struct survey_info *survey)
4800 {
4801         void *hdr;
4802         struct nlattr *infoattr;
4803
4804         hdr = nl80211hdr_put(msg, portid, seq, flags,
4805                              NL80211_CMD_NEW_SURVEY_RESULTS);
4806         if (!hdr)
4807                 return -ENOMEM;
4808
4809         if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
4810                 goto nla_put_failure;
4811
4812         infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
4813         if (!infoattr)
4814                 goto nla_put_failure;
4815
4816         if (nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
4817                         survey->channel->center_freq))
4818                 goto nla_put_failure;
4819
4820         if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
4821             nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
4822                 goto nla_put_failure;
4823         if ((survey->filled & SURVEY_INFO_IN_USE) &&
4824             nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
4825                 goto nla_put_failure;
4826         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME) &&
4827             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME,
4828                         survey->channel_time))
4829                 goto nla_put_failure;
4830         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_BUSY) &&
4831             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_BUSY,
4832                         survey->channel_time_busy))
4833                 goto nla_put_failure;
4834         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_EXT_BUSY) &&
4835             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_EXT_BUSY,
4836                         survey->channel_time_ext_busy))
4837                 goto nla_put_failure;
4838         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_RX) &&
4839             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_RX,
4840                         survey->channel_time_rx))
4841                 goto nla_put_failure;
4842         if ((survey->filled & SURVEY_INFO_CHANNEL_TIME_TX) &&
4843             nla_put_u64(msg, NL80211_SURVEY_INFO_CHANNEL_TIME_TX,
4844                         survey->channel_time_tx))
4845                 goto nla_put_failure;
4846
4847         nla_nest_end(msg, infoattr);
4848
4849         return genlmsg_end(msg, hdr);
4850
4851  nla_put_failure:
4852         genlmsg_cancel(msg, hdr);
4853         return -EMSGSIZE;
4854 }
4855
4856 static int nl80211_dump_survey(struct sk_buff *skb,
4857                         struct netlink_callback *cb)
4858 {
4859         struct survey_info survey;
4860         struct cfg80211_registered_device *dev;
4861         struct net_device *netdev;
4862         int survey_idx = cb->args[1];
4863         int res;
4864
4865         res = nl80211_prepare_netdev_dump(skb, cb, &dev, &netdev);
4866         if (res)
4867                 return res;
4868
4869         if (!dev->ops->dump_survey) {
4870                 res = -EOPNOTSUPP;
4871                 goto out_err;
4872         }
4873
4874         while (1) {
4875                 struct ieee80211_channel *chan;
4876
4877                 res = rdev_dump_survey(dev, netdev, survey_idx, &survey);
4878                 if (res == -ENOENT)
4879                         break;
4880                 if (res)
4881                         goto out_err;
4882
4883                 /* Survey without a channel doesn't make sense */
4884                 if (!survey.channel) {
4885                         res = -EINVAL;
4886                         goto out;
4887                 }
4888
4889                 chan = ieee80211_get_channel(&dev->wiphy,
4890                                              survey.channel->center_freq);
4891                 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
4892                         survey_idx++;
4893                         continue;
4894                 }
4895
4896                 if (nl80211_send_survey(skb,
4897                                 NETLINK_CB(cb->skb).portid,
4898                                 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4899                                 netdev,
4900                                 &survey) < 0)
4901                         goto out;
4902                 survey_idx++;
4903         }
4904
4905  out:
4906         cb->args[1] = survey_idx;
4907         res = skb->len;
4908  out_err:
4909         nl80211_finish_netdev_dump(dev);
4910         return res;
4911 }
4912
4913 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
4914 {
4915         return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
4916                                   NL80211_WPA_VERSION_2));
4917 }
4918
4919 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
4920 {
4921         struct cfg80211_registered_device *rdev = info->user_ptr[0];
4922         struct net_device *dev = info->user_ptr[1];
4923         struct ieee80211_channel *chan;
4924         const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
4925         int err, ssid_len, ie_len = 0, sae_data_len = 0;
4926         enum nl80211_auth_type auth_type;
4927         struct key_parse key;
4928         bool local_state_change;
4929
4930         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
4931                 return -EINVAL;
4932
4933         if (!info->attrs[NL80211_ATTR_MAC])
4934                 return -EINVAL;
4935
4936         if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
4937                 return -EINVAL;
4938
4939         if (!info->attrs[NL80211_ATTR_SSID])
4940                 return -EINVAL;
4941
4942         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
4943                 return -EINVAL;
4944
4945         err = nl80211_parse_key(info, &key);
4946         if (err)
4947                 return err;
4948
4949         if (key.idx >= 0) {
4950                 if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
4951                         return -EINVAL;
4952                 if (!key.p.key || !key.p.key_len)
4953                         return -EINVAL;
4954                 if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
4955                      key.p.key_len != WLAN_KEY_LEN_WEP40) &&
4956                     (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
4957                      key.p.key_len != WLAN_KEY_LEN_WEP104))
4958                         return -EINVAL;
4959                 if (key.idx > 4)
4960                         return -EINVAL;
4961         } else {
4962                 key.p.key_len = 0;
4963                 key.p.key = NULL;
4964         }
4965
4966         if (key.idx >= 0) {
4967                 int i;
4968                 bool ok = false;
4969                 for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
4970                         if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
4971                                 ok = true;
4972                                 break;
4973                         }
4974                 }
4975                 if (!ok)
4976                         return -EINVAL;
4977         }
4978
4979         if (!rdev->ops->auth)
4980                 return -EOPNOTSUPP;
4981
4982         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
4983             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
4984                 return -EOPNOTSUPP;
4985
4986         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
4987         chan = ieee80211_get_channel(&rdev->wiphy,
4988                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
4989         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
4990                 return -EINVAL;
4991
4992         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4993         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
4994
4995         if (info->attrs[NL80211_ATTR_IE]) {
4996                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
4997                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4998         }
4999
5000         auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
5001         if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
5002                 return -EINVAL;
5003
5004         if (auth_type == NL80211_AUTHTYPE_SAE &&
5005             !info->attrs[NL80211_ATTR_SAE_DATA])
5006                 return -EINVAL;
5007
5008         if (info->attrs[NL80211_ATTR_SAE_DATA]) {
5009                 if (auth_type != NL80211_AUTHTYPE_SAE)
5010                         return -EINVAL;
5011                 sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
5012                 sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
5013                 /* need to include at least Auth Transaction and Status Code */
5014                 if (sae_data_len < 4)
5015                         return -EINVAL;
5016         }
5017
5018         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5019
5020         /*
5021          * Since we no longer track auth state, ignore
5022          * requests to only change local state.
5023          */
5024         if (local_state_change)
5025                 return 0;
5026
5027         return cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
5028                                   ssid, ssid_len, ie, ie_len,
5029                                   key.p.key, key.p.key_len, key.idx,
5030                                   sae_data, sae_data_len);
5031 }
5032
5033 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
5034                                    struct genl_info *info,
5035                                    struct cfg80211_crypto_settings *settings,
5036                                    int cipher_limit)
5037 {
5038         memset(settings, 0, sizeof(*settings));
5039
5040         settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
5041
5042         if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
5043                 u16 proto;
5044                 proto = nla_get_u16(
5045                         info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
5046                 settings->control_port_ethertype = cpu_to_be16(proto);
5047                 if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
5048                     proto != ETH_P_PAE)
5049                         return -EINVAL;
5050                 if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
5051                         settings->control_port_no_encrypt = true;
5052         } else
5053                 settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
5054
5055         if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
5056                 void *data;
5057                 int len, i;
5058
5059                 data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
5060                 len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
5061                 settings->n_ciphers_pairwise = len / sizeof(u32);
5062
5063                 if (len % sizeof(u32))
5064                         return -EINVAL;
5065
5066                 if (settings->n_ciphers_pairwise > cipher_limit)
5067                         return -EINVAL;
5068
5069                 memcpy(settings->ciphers_pairwise, data, len);
5070
5071                 for (i = 0; i < settings->n_ciphers_pairwise; i++)
5072                         if (!cfg80211_supported_cipher_suite(
5073                                         &rdev->wiphy,
5074                                         settings->ciphers_pairwise[i]))
5075                                 return -EINVAL;
5076         }
5077
5078         if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
5079                 settings->cipher_group =
5080                         nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
5081                 if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
5082                                                      settings->cipher_group))
5083                         return -EINVAL;
5084         }
5085
5086         if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
5087                 settings->wpa_versions =
5088                         nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
5089                 if (!nl80211_valid_wpa_versions(settings->wpa_versions))
5090                         return -EINVAL;
5091         }
5092
5093         if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
5094                 void *data;
5095                 int len;
5096
5097                 data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
5098                 len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
5099                 settings->n_akm_suites = len / sizeof(u32);
5100
5101                 if (len % sizeof(u32))
5102                         return -EINVAL;
5103
5104                 if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
5105                         return -EINVAL;
5106
5107                 memcpy(settings->akm_suites, data, len);
5108         }
5109
5110         return 0;
5111 }
5112
5113 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
5114 {
5115         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5116         struct net_device *dev = info->user_ptr[1];
5117         struct cfg80211_crypto_settings crypto;
5118         struct ieee80211_channel *chan;
5119         const u8 *bssid, *ssid, *ie = NULL, *prev_bssid = NULL;
5120         int err, ssid_len, ie_len = 0;
5121         bool use_mfp = false;
5122         u32 flags = 0;
5123         struct ieee80211_ht_cap *ht_capa = NULL;
5124         struct ieee80211_ht_cap *ht_capa_mask = NULL;
5125
5126         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5127                 return -EINVAL;
5128
5129         if (!info->attrs[NL80211_ATTR_MAC] ||
5130             !info->attrs[NL80211_ATTR_SSID] ||
5131             !info->attrs[NL80211_ATTR_WIPHY_FREQ])
5132                 return -EINVAL;
5133
5134         if (!rdev->ops->assoc)
5135                 return -EOPNOTSUPP;
5136
5137         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5138             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5139                 return -EOPNOTSUPP;
5140
5141         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5142
5143         chan = ieee80211_get_channel(&rdev->wiphy,
5144                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5145         if (!chan || (chan->flags & IEEE80211_CHAN_DISABLED))
5146                 return -EINVAL;
5147
5148         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5149         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5150
5151         if (info->attrs[NL80211_ATTR_IE]) {
5152                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5153                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5154         }
5155
5156         if (info->attrs[NL80211_ATTR_USE_MFP]) {
5157                 enum nl80211_mfp mfp =
5158                         nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
5159                 if (mfp == NL80211_MFP_REQUIRED)
5160                         use_mfp = true;
5161                 else if (mfp != NL80211_MFP_NO)
5162                         return -EINVAL;
5163         }
5164
5165         if (info->attrs[NL80211_ATTR_PREV_BSSID])
5166                 prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
5167
5168         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5169                 flags |= ASSOC_REQ_DISABLE_HT;
5170
5171         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5172                 ht_capa_mask =
5173                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]);
5174
5175         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5176                 if (!ht_capa_mask)
5177                         return -EINVAL;
5178                 ht_capa = nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5179         }
5180
5181         err = nl80211_crypto_settings(rdev, info, &crypto, 1);
5182         if (!err)
5183                 err = cfg80211_mlme_assoc(rdev, dev, chan, bssid, prev_bssid,
5184                                           ssid, ssid_len, ie, ie_len, use_mfp,
5185                                           &crypto, flags, ht_capa,
5186                                           ht_capa_mask);
5187
5188         return err;
5189 }
5190
5191 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
5192 {
5193         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5194         struct net_device *dev = info->user_ptr[1];
5195         const u8 *ie = NULL, *bssid;
5196         int ie_len = 0;
5197         u16 reason_code;
5198         bool local_state_change;
5199
5200         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5201                 return -EINVAL;
5202
5203         if (!info->attrs[NL80211_ATTR_MAC])
5204                 return -EINVAL;
5205
5206         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5207                 return -EINVAL;
5208
5209         if (!rdev->ops->deauth)
5210                 return -EOPNOTSUPP;
5211
5212         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5213             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5214                 return -EOPNOTSUPP;
5215
5216         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5217
5218         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5219         if (reason_code == 0) {
5220                 /* Reason Code 0 is reserved */
5221                 return -EINVAL;
5222         }
5223
5224         if (info->attrs[NL80211_ATTR_IE]) {
5225                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5226                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5227         }
5228
5229         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5230
5231         return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
5232                                     local_state_change);
5233 }
5234
5235 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
5236 {
5237         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5238         struct net_device *dev = info->user_ptr[1];
5239         const u8 *ie = NULL, *bssid;
5240         int ie_len = 0;
5241         u16 reason_code;
5242         bool local_state_change;
5243
5244         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5245                 return -EINVAL;
5246
5247         if (!info->attrs[NL80211_ATTR_MAC])
5248                 return -EINVAL;
5249
5250         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5251                 return -EINVAL;
5252
5253         if (!rdev->ops->disassoc)
5254                 return -EOPNOTSUPP;
5255
5256         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5257             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5258                 return -EOPNOTSUPP;
5259
5260         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5261
5262         reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5263         if (reason_code == 0) {
5264                 /* Reason Code 0 is reserved */
5265                 return -EINVAL;
5266         }
5267
5268         if (info->attrs[NL80211_ATTR_IE]) {
5269                 ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5270                 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5271         }
5272
5273         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
5274
5275         return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
5276                                       local_state_change);
5277 }
5278
5279 static bool
5280 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
5281                          int mcast_rate[IEEE80211_NUM_BANDS],
5282                          int rateval)
5283 {
5284         struct wiphy *wiphy = &rdev->wiphy;
5285         bool found = false;
5286         int band, i;
5287
5288         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
5289                 struct ieee80211_supported_band *sband;
5290
5291                 sband = wiphy->bands[band];
5292                 if (!sband)
5293                         continue;
5294
5295                 for (i = 0; i < sband->n_bitrates; i++) {
5296                         if (sband->bitrates[i].bitrate == rateval) {
5297                                 mcast_rate[band] = i + 1;
5298                                 found = true;
5299                                 break;
5300                         }
5301                 }
5302         }
5303
5304         return found;
5305 }
5306
5307 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
5308 {
5309         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5310         struct net_device *dev = info->user_ptr[1];
5311         struct cfg80211_ibss_params ibss;
5312         struct wiphy *wiphy;
5313         struct cfg80211_cached_keys *connkeys = NULL;
5314         int err;
5315
5316         memset(&ibss, 0, sizeof(ibss));
5317
5318         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5319                 return -EINVAL;
5320
5321         if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
5322             !info->attrs[NL80211_ATTR_SSID] ||
5323             !nla_len(info->attrs[NL80211_ATTR_SSID]))
5324                 return -EINVAL;
5325
5326         ibss.beacon_interval = 100;
5327
5328         if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
5329                 ibss.beacon_interval =
5330                         nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5331                 if (ibss.beacon_interval < 1 || ibss.beacon_interval > 10000)
5332                         return -EINVAL;
5333         }
5334
5335         if (!rdev->ops->join_ibss)
5336                 return -EOPNOTSUPP;
5337
5338         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5339                 return -EOPNOTSUPP;
5340
5341         wiphy = &rdev->wiphy;
5342
5343         if (info->attrs[NL80211_ATTR_MAC]) {
5344                 ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5345
5346                 if (!is_valid_ether_addr(ibss.bssid))
5347                         return -EINVAL;
5348         }
5349         ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5350         ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5351
5352         if (info->attrs[NL80211_ATTR_IE]) {
5353                 ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5354                 ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5355         }
5356
5357         if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
5358                 enum nl80211_channel_type channel_type;
5359
5360                 if (!nl80211_valid_channel_type(info, &channel_type))
5361                         return -EINVAL;
5362
5363                 if (channel_type != NL80211_CHAN_NO_HT &&
5364                     !(wiphy->features & NL80211_FEATURE_HT_IBSS))
5365                         return -EINVAL;
5366
5367                 ibss.channel_type = channel_type;
5368         } else {
5369                 ibss.channel_type = NL80211_CHAN_NO_HT;
5370         }
5371
5372         ibss.channel = rdev_freq_to_chan(rdev,
5373                 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]),
5374                 ibss.channel_type);
5375         if (!ibss.channel ||
5376             ibss.channel->flags & IEEE80211_CHAN_NO_IBSS ||
5377             ibss.channel->flags & IEEE80211_CHAN_DISABLED)
5378                 return -EINVAL;
5379
5380         /* Both channels should be able to initiate communication */
5381         if ((ibss.channel_type == NL80211_CHAN_HT40PLUS ||
5382              ibss.channel_type == NL80211_CHAN_HT40MINUS) &&
5383             !cfg80211_can_beacon_sec_chan(&rdev->wiphy, ibss.channel,
5384                                           ibss.channel_type))
5385                 return -EINVAL;
5386
5387         ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
5388         ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5389
5390         if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5391                 u8 *rates =
5392                         nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5393                 int n_rates =
5394                         nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5395                 struct ieee80211_supported_band *sband =
5396                         wiphy->bands[ibss.channel->band];
5397
5398                 err = ieee80211_get_ratemask(sband, rates, n_rates,
5399                                              &ibss.basic_rates);
5400                 if (err)
5401                         return err;
5402         }
5403
5404         if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
5405             !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
5406                         nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
5407                 return -EINVAL;
5408
5409         if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5410                 bool no_ht = false;
5411
5412                 connkeys = nl80211_parse_connkeys(rdev,
5413                                           info->attrs[NL80211_ATTR_KEYS],
5414                                           &no_ht);
5415                 if (IS_ERR(connkeys))
5416                         return PTR_ERR(connkeys);
5417
5418                 if ((ibss.channel_type != NL80211_CHAN_NO_HT) && no_ht) {
5419                         kfree(connkeys);
5420                         return -EINVAL;
5421                 }
5422         }
5423
5424         ibss.control_port =
5425                 nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
5426
5427         err = cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
5428         if (err)
5429                 kfree(connkeys);
5430         return err;
5431 }
5432
5433 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
5434 {
5435         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5436         struct net_device *dev = info->user_ptr[1];
5437
5438         if (!rdev->ops->leave_ibss)
5439                 return -EOPNOTSUPP;
5440
5441         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
5442                 return -EOPNOTSUPP;
5443
5444         return cfg80211_leave_ibss(rdev, dev, false);
5445 }
5446
5447 #ifdef CONFIG_NL80211_TESTMODE
5448 static struct genl_multicast_group nl80211_testmode_mcgrp = {
5449         .name = "testmode",
5450 };
5451
5452 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
5453 {
5454         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5455         int err;
5456
5457         if (!info->attrs[NL80211_ATTR_TESTDATA])
5458                 return -EINVAL;
5459
5460         err = -EOPNOTSUPP;
5461         if (rdev->ops->testmode_cmd) {
5462                 rdev->testmode_info = info;
5463                 err = rdev_testmode_cmd(rdev,
5464                                 nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
5465                                 nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
5466                 rdev->testmode_info = NULL;
5467         }
5468
5469         return err;
5470 }
5471
5472 static int nl80211_testmode_dump(struct sk_buff *skb,
5473                                  struct netlink_callback *cb)
5474 {
5475         struct cfg80211_registered_device *rdev;
5476         int err;
5477         long phy_idx;
5478         void *data = NULL;
5479         int data_len = 0;
5480
5481         if (cb->args[0]) {
5482                 /*
5483                  * 0 is a valid index, but not valid for args[0],
5484                  * so we need to offset by 1.
5485                  */
5486                 phy_idx = cb->args[0] - 1;
5487         } else {
5488                 err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
5489                                   nl80211_fam.attrbuf, nl80211_fam.maxattr,
5490                                   nl80211_policy);
5491                 if (err)
5492                         return err;
5493
5494                 mutex_lock(&cfg80211_mutex);
5495                 rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
5496                                                   nl80211_fam.attrbuf);
5497                 if (IS_ERR(rdev)) {
5498                         mutex_unlock(&cfg80211_mutex);
5499                         return PTR_ERR(rdev);
5500                 }
5501                 phy_idx = rdev->wiphy_idx;
5502                 rdev = NULL;
5503                 mutex_unlock(&cfg80211_mutex);
5504
5505                 if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
5506                         cb->args[1] =
5507                                 (long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
5508         }
5509
5510         if (cb->args[1]) {
5511                 data = nla_data((void *)cb->args[1]);
5512                 data_len = nla_len((void *)cb->args[1]);
5513         }
5514
5515         mutex_lock(&cfg80211_mutex);
5516         rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
5517         if (!rdev) {
5518                 mutex_unlock(&cfg80211_mutex);
5519                 return -ENOENT;
5520         }
5521         cfg80211_lock_rdev(rdev);
5522         mutex_unlock(&cfg80211_mutex);
5523
5524         if (!rdev->ops->testmode_dump) {
5525                 err = -EOPNOTSUPP;
5526                 goto out_err;
5527         }
5528
5529         while (1) {
5530                 void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
5531                                            cb->nlh->nlmsg_seq, NLM_F_MULTI,
5532                                            NL80211_CMD_TESTMODE);
5533                 struct nlattr *tmdata;
5534
5535                 if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
5536                         genlmsg_cancel(skb, hdr);
5537                         break;
5538                 }
5539
5540                 tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
5541                 if (!tmdata) {
5542                         genlmsg_cancel(skb, hdr);
5543                         break;
5544                 }
5545                 err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
5546                 nla_nest_end(skb, tmdata);
5547
5548                 if (err == -ENOBUFS || err == -ENOENT) {
5549                         genlmsg_cancel(skb, hdr);
5550                         break;
5551                 } else if (err) {
5552                         genlmsg_cancel(skb, hdr);
5553                         goto out_err;
5554                 }
5555
5556                 genlmsg_end(skb, hdr);
5557         }
5558
5559         err = skb->len;
5560         /* see above */
5561         cb->args[0] = phy_idx + 1;
5562  out_err:
5563         cfg80211_unlock_rdev(rdev);
5564         return err;
5565 }
5566
5567 static struct sk_buff *
5568 __cfg80211_testmode_alloc_skb(struct cfg80211_registered_device *rdev,
5569                               int approxlen, u32 portid, u32 seq, gfp_t gfp)
5570 {
5571         struct sk_buff *skb;
5572         void *hdr;
5573         struct nlattr *data;
5574
5575         skb = nlmsg_new(approxlen + 100, gfp);
5576         if (!skb)
5577                 return NULL;
5578
5579         hdr = nl80211hdr_put(skb, portid, seq, 0, NL80211_CMD_TESTMODE);
5580         if (!hdr) {
5581                 kfree_skb(skb);
5582                 return NULL;
5583         }
5584
5585         if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
5586                 goto nla_put_failure;
5587         data = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
5588
5589         ((void **)skb->cb)[0] = rdev;
5590         ((void **)skb->cb)[1] = hdr;
5591         ((void **)skb->cb)[2] = data;
5592
5593         return skb;
5594
5595  nla_put_failure:
5596         kfree_skb(skb);
5597         return NULL;
5598 }
5599
5600 struct sk_buff *cfg80211_testmode_alloc_reply_skb(struct wiphy *wiphy,
5601                                                   int approxlen)
5602 {
5603         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
5604
5605         if (WARN_ON(!rdev->testmode_info))
5606                 return NULL;
5607
5608         return __cfg80211_testmode_alloc_skb(rdev, approxlen,
5609                                 rdev->testmode_info->snd_portid,
5610                                 rdev->testmode_info->snd_seq,
5611                                 GFP_KERNEL);
5612 }
5613 EXPORT_SYMBOL(cfg80211_testmode_alloc_reply_skb);
5614
5615 int cfg80211_testmode_reply(struct sk_buff *skb)
5616 {
5617         struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
5618         void *hdr = ((void **)skb->cb)[1];
5619         struct nlattr *data = ((void **)skb->cb)[2];
5620
5621         if (WARN_ON(!rdev->testmode_info)) {
5622                 kfree_skb(skb);
5623                 return -EINVAL;
5624         }
5625
5626         nla_nest_end(skb, data);
5627         genlmsg_end(skb, hdr);
5628         return genlmsg_reply(skb, rdev->testmode_info);
5629 }
5630 EXPORT_SYMBOL(cfg80211_testmode_reply);
5631
5632 struct sk_buff *cfg80211_testmode_alloc_event_skb(struct wiphy *wiphy,
5633                                                   int approxlen, gfp_t gfp)
5634 {
5635         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
5636
5637         return __cfg80211_testmode_alloc_skb(rdev, approxlen, 0, 0, gfp);
5638 }
5639 EXPORT_SYMBOL(cfg80211_testmode_alloc_event_skb);
5640
5641 void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
5642 {
5643         void *hdr = ((void **)skb->cb)[1];
5644         struct nlattr *data = ((void **)skb->cb)[2];
5645
5646         nla_nest_end(skb, data);
5647         genlmsg_end(skb, hdr);
5648         genlmsg_multicast(skb, 0, nl80211_testmode_mcgrp.id, gfp);
5649 }
5650 EXPORT_SYMBOL(cfg80211_testmode_event);
5651 #endif
5652
5653 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
5654 {
5655         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5656         struct net_device *dev = info->user_ptr[1];
5657         struct cfg80211_connect_params connect;
5658         struct wiphy *wiphy;
5659         struct cfg80211_cached_keys *connkeys = NULL;
5660         int err;
5661
5662         memset(&connect, 0, sizeof(connect));
5663
5664         if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
5665                 return -EINVAL;
5666
5667         if (!info->attrs[NL80211_ATTR_SSID] ||
5668             !nla_len(info->attrs[NL80211_ATTR_SSID]))
5669                 return -EINVAL;
5670
5671         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5672                 connect.auth_type =
5673                         nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
5674                 if (!nl80211_valid_auth_type(rdev, connect.auth_type,
5675                                              NL80211_CMD_CONNECT))
5676                         return -EINVAL;
5677         } else
5678                 connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5679
5680         connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
5681
5682         err = nl80211_crypto_settings(rdev, info, &connect.crypto,
5683                                       NL80211_MAX_NR_CIPHER_SUITES);
5684         if (err)
5685                 return err;
5686
5687         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5688             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5689                 return -EOPNOTSUPP;
5690
5691         wiphy = &rdev->wiphy;
5692
5693         connect.bg_scan_period = -1;
5694         if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
5695                 (wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
5696                 connect.bg_scan_period =
5697                         nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
5698         }
5699
5700         if (info->attrs[NL80211_ATTR_MAC])
5701                 connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5702         connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5703         connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
5704
5705         if (info->attrs[NL80211_ATTR_IE]) {
5706                 connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
5707                 connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
5708         }
5709
5710         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5711                 connect.channel =
5712                         ieee80211_get_channel(wiphy,
5713                             nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
5714                 if (!connect.channel ||
5715                     connect.channel->flags & IEEE80211_CHAN_DISABLED)
5716                         return -EINVAL;
5717         }
5718
5719         if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
5720                 connkeys = nl80211_parse_connkeys(rdev,
5721                                           info->attrs[NL80211_ATTR_KEYS], NULL);
5722                 if (IS_ERR(connkeys))
5723                         return PTR_ERR(connkeys);
5724         }
5725
5726         if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
5727                 connect.flags |= ASSOC_REQ_DISABLE_HT;
5728
5729         if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
5730                 memcpy(&connect.ht_capa_mask,
5731                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
5732                        sizeof(connect.ht_capa_mask));
5733
5734         if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5735                 if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
5736                         kfree(connkeys);
5737                         return -EINVAL;
5738                 }
5739                 memcpy(&connect.ht_capa,
5740                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
5741                        sizeof(connect.ht_capa));
5742         }
5743
5744         err = cfg80211_connect(rdev, dev, &connect, connkeys);
5745         if (err)
5746                 kfree(connkeys);
5747         return err;
5748 }
5749
5750 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
5751 {
5752         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5753         struct net_device *dev = info->user_ptr[1];
5754         u16 reason;
5755
5756         if (!info->attrs[NL80211_ATTR_REASON_CODE])
5757                 reason = WLAN_REASON_DEAUTH_LEAVING;
5758         else
5759                 reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5760
5761         if (reason == 0)
5762                 return -EINVAL;
5763
5764         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5765             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5766                 return -EOPNOTSUPP;
5767
5768         return cfg80211_disconnect(rdev, dev, reason, true);
5769 }
5770
5771 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
5772 {
5773         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5774         struct net *net;
5775         int err;
5776         u32 pid;
5777
5778         if (!info->attrs[NL80211_ATTR_PID])
5779                 return -EINVAL;
5780
5781         pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
5782
5783         net = get_net_ns_by_pid(pid);
5784         if (IS_ERR(net))
5785                 return PTR_ERR(net);
5786
5787         err = 0;
5788
5789         /* check if anything to do */
5790         if (!net_eq(wiphy_net(&rdev->wiphy), net))
5791                 err = cfg80211_switch_netns(rdev, net);
5792
5793         put_net(net);
5794         return err;
5795 }
5796
5797 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
5798 {
5799         struct cfg80211_registered_device *rdev = info->user_ptr[0];
5800         int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
5801                         struct cfg80211_pmksa *pmksa) = NULL;
5802         struct net_device *dev = info->user_ptr[1];
5803         struct cfg80211_pmksa pmksa;
5804
5805         memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
5806
5807         if (!info->attrs[NL80211_ATTR_MAC])
5808                 return -EINVAL;
5809
5810         if (!info->attrs[NL80211_ATTR_PMKID])
5811                 return -EINVAL;
5812
5813         pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
5814         pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
5815
5816         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
5817             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
5818                 return -EOPNOTSUPP;
5819
5820         switch (info->genlhdr->cmd) {
5821         case NL80211_CMD_SET_PMKSA:
5822                 rdev_ops = rdev->ops->set_pmksa;
5823                 break;
5824         case NL80211_CMD_DEL_PMKSA:
5825                 rdev_ops = rdev->ops->del_pmksa;
5826                 break;
5827         default:
5828                 WARN_ON(1);